You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm caught between whether these headers ought to be exposed by the clients themselves, or whether we should introduce a load balancer (which is our current workaround) to enforce these headers.
Your thoughts are appreciated :)
Proposal
RPC and LCD should (optionally?) expose the HTTP security headers listed above.
For Admin Use
Not duplicate issue
Appropriate labels applied
Appropriate contributors tagged
Contributor assigned/self-assigned
The text was updated successfully, but these errors were encountered:
On reflection, I'm inclined to agree. These are only a concern when exposing publically anyway, in which case best practice dictates running behind a reverse proxy anyway.
Summary
Cosmos RPC and light client endpoints should return HTTP security headers.
Problem Definition
A recent penetration test suggested that our public facing RPC/LCD nodes should expose the following headers in the response:
I'm caught between whether these headers ought to be exposed by the clients themselves, or whether we should introduce a load balancer (which is our current workaround) to enforce these headers.
Your thoughts are appreciated :)
Proposal
RPC and LCD should (optionally?) expose the HTTP security headers listed above.
For Admin Use
The text was updated successfully, but these errors were encountered: