Security Headers #835

jsharkey13 · 2017-04-20T09:39:20Z

Taking a look at https://securityheaders.io/, it looks like we could do a better job of adding some of these headers. I tested the following on staging, and they seem to be an improvement on nothing without requiring an extensive rewrite:

add_header Content-Security-Policy "upgrade-insecure-requests; default-src https:; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline'";
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Xss-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;

These are good for reference:

the SSL only CSP header version described at the bottom of this page, which is loose but better than nothing
an overview of the other headers can be found here

We get quite a few console errors about some external services not being able to load fonts from about:blank that should be investigated before we deployed this!

The text was updated successfully, but these errors were encountered:

# The HSTS header isn't really an SSL config, so move it out that file. # Relevant to isaacphysics/isaac-app#835

jsharkey13 added the would-be-nice label Apr 20, 2017

jsharkey13 added a commit to isaacphysics/isaac-router that referenced this issue Oct 20, 2017

Explicity add useful security headers to http block

3095833

# The HSTS header isn't really an SSL config, so move it out that file. # Relevant to isaacphysics/isaac-app#835

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Security Headers #835

Security Headers #835

jsharkey13 commented Apr 20, 2017

Security Headers #835

Security Headers #835

Comments

jsharkey13 commented Apr 20, 2017