New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement security recommendations from #293

goenning opened this Issue Mar 2, 2018 · 3 comments


None yet
2 participants
Copy link

goenning commented Mar 2, 2018 and

Current Score

Test Score Explanation
Content Security Policy -25 Content Security Policy (CSP) header not implemented
HTTP Strict Transport Security -20 HTTP Strict Transport Security (HSTS) header not implemented
Referrer Policy 0 Referrer-Policy header not implemented (optional)
Subresource Integrity -5 Subresource Integrity (SRI) not implemented, but all external scripts are loaded over https
X-Content-Type-Options -5 X-Content-Type-Options header not implemented
X-Frame-Options -20 X-Frame-Options (XFO) header not implemented
X-XSS-Protection -10 X-XSS-Protection header not implemented  

@goenning goenning added this to the v0.12: April/2018 milestone Mar 24, 2018

@goenning goenning changed the title Implement recommendations of Implement security recommendations from Mar 24, 2018


This comment has been minimized.

Copy link

goenning commented Apr 19, 2018

HTTP Strict Transport Security is the only setting we won't cover on this issue. The reason is that it'll require some effort to make it work as opt-in, read more on

We'll need to revisit this later.


This comment has been minimized.

Copy link

ry4nolson commented Apr 19, 2018

would you consider not setting X-Frame-Options?
This would let fider be used in a modal.


This comment has been minimized.

Copy link

goenning commented Apr 20, 2018

I thought a lot about that before setting it. Ideally we should have a site setting where you could input your frame host domain, so we would be able to use ALLOW-FROM

Did I break something on your side? Or are you just thinking about future possibilities? I’m fine with reverting that specific header until we can make it more flexible.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment