Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added all http sec headers in strict mode. #28

Merged
merged 4 commits into from
Jan 8, 2024
Merged

Added all http sec headers in strict mode. #28

merged 4 commits into from
Jan 8, 2024

Conversation

nicolasauler
Copy link
Owner

@nicolasauler nicolasauler commented Jan 7, 2024
edited

@nicolasauler nicolasauler self-assigned this Jan 7, 2024
nicolasauler
nicolasauler commented Jan 7, 2024
View reviewed changes
src/main.rs Outdated
@@ -76,6 +77,7 @@ async fn axum(#[shuttle_shared_db::Postgres] pool: PgPool) -> shuttle_axum::Shut
.route_layer(login_required!(Backend, login_url = "/auth"))
.merge(hypermedia::router::auth::router())
.merge(hypermedia::router::validation::router())
.layer(HelmetLayer::new(Helmet::default().add(XFrameOptions::Deny)))
Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

image
App broken due to CSP in htmx extensions

Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Currently htmx.min.js breaks as having an inline script inside it

Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Check if fix in 08b7560

Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wasn't fixed there, but was in 4291ca5
Note that this fix broke some functionality of CSP in the first place, so a better solution needs to be found

Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Opened issue at #29

@nicolasauler nicolasauler mentioned this pull request Jan 8, 2024
Closed
@nicolasauler
Copy link
Owner Author

Opened issue at #29 to fix specifically the problem with htmx/plotly and CSP script-src-elem

@nicolasauler nicolasauler merged commit 7be62bb into main Jan 8, 2024
2 of 4 checks passed
@nicolasauler nicolasauler deleted the feat-http-sec-headers branch January 8, 2024 02:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@nicolasauler nicolasauler

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@nicolasauler