You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In Pode 2.6.0 there was a new feature added to enable security headers in middleware. In Pode.Web, we should enable most of these by default (but with the option to turn them off). This includes headers like CORS, X-Frame, Permission-Policy, etc.
(This should only be done if the installed Pode module is v2.6.0, so either this is the new required version, or we just check the version).
On Use-PodeWebTemplate there should be a new -Security parameter, with possible options: None, Default, Simple, Strict.
None: no security headers
Default: use inbuilt Simple, but "default-src" for Content Security should alllow http/s, and CORS should be open
Simple: use inbuilt Simple
Strict: use inbuilt Strict
For Default, Simple, and Strict, all 3 will need extra options being enabled to support some features/structure of Pode.Web:
In Pode 2.6.0 there was a new feature added to enable security headers in middleware. In Pode.Web, we should enable most of these by default (but with the option to turn them off). This includes headers like CORS, X-Frame, Permission-Policy, etc.
(This should only be done if the installed Pode module is v2.6.0, so either this is the new required version, or we just check the version).
On
Use-PodeWebTemplate
there should be a new-Security
parameter, with possible options: None, Default, Simple, Strict.For Default, Simple, and Strict, all 3 will need extra options being enabled to support some features/structure of Pode.Web:
There should also be a
-UseHsts
switch, so people can optionally enable the Strict-Transport-Security header.Default will be the Default enabled. To disable:
Or to use Simple:
Or to use Strict with HSTS:
The text was updated successfully, but these errors were encountered: