-
-
Notifications
You must be signed in to change notification settings - Fork 110
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add some security HTTP Headers #410
Conversation
Added commit 9723a84 which sets HTTPONLY to CSRF cookies and |
today i've updated the prod site to master branch (and also updated dependencies, but still dj 1.11). if this is finished, we can merge it and try it soon. |
Is ready to merge from my side. Should I add some additional header? CSP is rather complex and error prune. Which headers are currently added by nginx? |
nginx now:
nginx after PR is merged:
@elnappo correct? Considering 5, guess I don't want |
Your'e right, we don't need We also could add the Feature-Policy header:
https://github.com/w3c/webappsec-feature-policy |
Our feature policy would read a bit like "fat free, sugar free, gluten free" printed on a bottle of mineral water. But if it doesn't cause issues, why not have it... |
Yes, unfortunately there is no "deny all" parameter... |
Adds the following HTTP header (set by Django):
See #281