Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable security headers by default #276

Closed
Badgerati opened this issue Feb 26, 2022 · 0 comments · Fixed by #283
Closed

Enable security headers by default #276

Badgerati opened this issue Feb 26, 2022 · 0 comments · Fixed by #283
Assignees
@Badgerati
Labels
feature ☀️
Milestone
0.8.0

Comments

@Badgerati
Copy link
Owner

In Pode 2.6.0 there was a new feature added to enable security headers in middleware. In Pode.Web, we should enable most of these by default (but with the option to turn them off). This includes headers like CORS, X-Frame, Permission-Policy, etc.

(This should only be done if the installed Pode module is v2.6.0, so either this is the new required version, or we just check the version).

On Use-PodeWebTemplate there should be a new -Security parameter, with possible options: None, Default, Simple, Strict.

  • None: no security headers
  • Default: use inbuilt Simple, but "default-src" for Content Security should alllow http/s, and CORS should be open
  • Simple: use inbuilt Simple
  • Strict: use inbuilt Strict

For Default, Simple, and Strict, all 3 will need extra options being enabled to support some features/structure of Pode.Web:

Add-PodeSecurityContentSecurityPolicy `
    -Style 'self', 'unsafe-inline' `
    -Scripts 'self', 'unsafe-inline' `
    -Image 'self', 'data'

There should also be a -UseHsts switch, so people can optionally enable the Strict-Transport-Security header.

Default will be the Default enabled. To disable:

Use-PodeWebTemplates -Security None

Or to use Simple:

Use-PodeWebTemplates -Security Simple

Or to use Strict with HSTS:

Use-PodeWebTemplates -Security Strict -UseHsts
@Badgerati Badgerati added the enhancement ⬆️ New feature or request label Feb 26, 2022
@Badgerati Badgerati added this to the 0.8.0 milestone Feb 26, 2022
@Badgerati Badgerati added feature ☀️ and removed enhancement ⬆️ New feature or request labels Feb 26, 2022
@Badgerati Badgerati self-assigned this Mar 8, 2022
Badgerati added a commit that referenced this issue Mar 12, 2022
@Badgerati
#276: initial work to add default security headers
dc1b136
Badgerati added a commit that referenced this issue Mar 13, 2022
@Badgerati
#276: fixes from hosting publicly, and docs
7bcaf1a
@Badgerati Badgerati mentioned this issue Mar 13, 2022
Merged
Badgerati added a commit that referenced this issue Mar 13, 2022
@Badgerati
#276: minor doc tweak
3b4f88b
@Badgerati Badgerati mentioned this issue Mar 30, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Badgerati Badgerati

Labels
feature ☀️
Projects
None yet
Milestone
0.8.0
Development

Successfully merging a pull request may close this issue.

Enables default security header rules Badgerati/Pode.Web
1 participant
@Badgerati