Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

The website could use some security HTTP headers #51

Closed
xaban2 opened this issue Nov 11, 2020 · 2 comments
Closed

The website could use some security HTTP headers #51

xaban2 opened this issue Nov 11, 2020 · 2 comments

Comments

@xaban2
Copy link

xaban2 commented Nov 11, 2020

Currently it gets a "F" grade: scan results

@xaban2 xaban2 changed the title The website could use some security headers The website could use some security HTTP headers Nov 11, 2020
@denysvitali
Copy link
Owner

Nice catch, this was already solved in the past but I recently switched to a new host and forgot to apply the config. Give me 10 minutes

denysvitali added a commit that referenced this issue Nov 12, 2020
denysvitali added a commit that referenced this issue Nov 12, 2020
denysvitali added a commit that referenced this issue Nov 13, 2020
Apparently NGINX will take only the headers from the deepest
context that he finds. In this case, the deepest one was the
`if` condition on cors.conf. For this reason, all the
other headers were ignored.

This fix uses variables instead, so that all the `add_header`
directives stay on the same level, allowing us to not re-write
those headers.
@denysvitali
Copy link
Owner

Solved:
20201113_15h59m54s_grim

I'm still missing the Permissions-Policy header, but I decided not to implement it since it is still a draft (:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants