Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[legacy-framework] Add blitz install secureheaders recipe for setting secure headers #2019

Merged
merged 1 commit into from Mar 1, 2021
Merged

[legacy-framework] Add blitz install secureheaders recipe for setting secure headers #2019

merged 1 commit into from Mar 1, 2021

Conversation

MrLeebo
Copy link
Member

@MrLeebo MrLeebo commented Feb 28, 2021

What are the changes and their implications?

Creates a new blitz recipe for setting a default list of security headers. There's probably more improvements that we can make with this. I wasn't sure how to compute hashes for styles (especially since the user might use one of any number of CSS frameworks) so I included 'unsafe-inline' by default.

Sets the following headers:

  • Content-Security-Policy (as a meta tag)
  • Referrer-Policy (as a meta tag)
  • Strict-Transport-Security
  • X-Frame-Options
  • X-Content-Type-Options
  • Permissions-Policy
  • X-Powered-By (disabled, nextjs enables this by default)

Checklist

  • Changes covered by tests (tests added if needed)
  • PR submitted to blitzjs.com for any user facing changes

@blitzjs-bot blitzjs-bot bot added this to In Review in Dashboard Feb 28, 2021
@flybayer
Copy link
Member

flybayer commented Mar 1, 2021

Thanks!! Question: should we add some of these directly to the new app template?

@MrLeebo
Copy link
Member Author

MrLeebo commented Mar 1, 2021

Potentially yes, but I wouldn't want to introduce a burden on users that don't want to pay attention to security headers because they are working on toy projects or something. X-Powered-By is safe to disable in the default template, but the rest are potentially breaking changes so I suppose it depends on what your tolerance for that is.

@flybayer
Copy link
Member

flybayer commented Mar 1, 2021

Ok makes sense.

@flybayer flybayer changed the title Add recipe for setting secure headers Add blitz install secureheaders recipe for setting secure headers Mar 1, 2021
@flybayer flybayer merged commit e8551a0 into blitz-js:canary Mar 1, 2021
Dashboard automation moved this from In Review to Done Mar 1, 2021
@MrLeebo MrLeebo deleted the recipe-secureheaders branch March 1, 2021 22:45
@plbstl plbstl mentioned this pull request Feb 19, 2022
Closed
3 tasks
@dillondotzip dillondotzip changed the title Add blitz install secureheaders recipe for setting secure headers [legacy-framework] Add blitz install secureheaders recipe for setting secure headers Jul 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@flybayer flybayer Awaiting requested review from flybayer

Assignees
No one assigned
Labels
status/done
Projects
No open projects
Dashboard
Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@MrLeebo @flybayer