-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added all http sec headers in strict mode. #28
Conversation
src/main.rs
Outdated
@@ -76,6 +77,7 @@ async fn axum(#[shuttle_shared_db::Postgres] pool: PgPool) -> shuttle_axum::Shut | |||
.route_layer(login_required!(Backend, login_url = "/auth")) | |||
.merge(hypermedia::router::auth::router()) | |||
.merge(hypermedia::router::validation::router()) | |||
.layer(HelmetLayer::new(Helmet::default().add(XFrameOptions::Deny))) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Currently htmx.min.js breaks as having an inline script inside it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Check if fix in 08b7560
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wasn't fixed there, but was in 4291ca5
Note that this fix broke some functionality of CSP in the first place, so a better solution needs to be found
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Opened issue at #29
Opened issue at #29 to fix specifically the problem with htmx/plotly and CSP script-src-elem |
https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html
https://owasp.org/www-project-secure-headers/
https://owasp.org/www-community/Security_Headers