New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement security recommendations from mozilla.org #293

Closed
goenning opened this Issue Mar 2, 2018 · 3 comments

Comments

Projects
None yet
2 participants
@goenning
Copy link
Member

goenning commented Mar 2, 2018

https://observatory.mozilla.org and https://securityheaders.io/

Current Score

Test Score Explanation
Content Security Policy -25 Content Security Policy (CSP) header not implemented
HTTP Strict Transport Security -20 HTTP Strict Transport Security (HSTS) header not implemented
Referrer Policy 0 Referrer-Policy header not implemented (optional)
Subresource Integrity -5 Subresource Integrity (SRI) not implemented, but all external scripts are loaded over https
X-Content-Type-Options -5 X-Content-Type-Options header not implemented
X-Frame-Options -20 X-Frame-Options (XFO) header not implemented
X-XSS-Protection -10 X-XSS-Protection header not implemented  

@goenning goenning added this to the v0.12: April/2018 milestone Mar 24, 2018

@goenning goenning changed the title Implement recommendations of https://observatory.mozilla.org Implement security recommendations from mozilla.org Mar 24, 2018

@goenning

This comment has been minimized.

Copy link
Member

goenning commented Apr 19, 2018

HTTP Strict Transport Security is the only setting we won't cover on this issue. The reason is that it'll require some effort to make it work as opt-in, read more on https://hstspreload.org/#opt-in

We'll need to revisit this later.

@ry4nolson

This comment has been minimized.

Copy link

ry4nolson commented Apr 19, 2018

would you consider not setting X-Frame-Options?
This would let fider be used in a modal.

@goenning

This comment has been minimized.

Copy link
Member

goenning commented Apr 20, 2018

I thought a lot about that before setting it. Ideally we should have a site setting where you could input your frame host domain, so we would be able to use ALLOW-FROM

Did I break something on your side? Or are you just thinking about future possibilities? I’m fine with reverting that specific header until we can make it more flexible.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment