The following is a non-exhaustive list of configurations in Open Zaak to enhance security.
When deploying Open Zaak on a VM, nginx is used as a reverse proxy. A number of headers are set in the virtual host:
Referrer-Policy: "same-origin";- the
HTTP_REFERERheader is sent only to Open Zaak pages X-Content-Type-Options: "nosniff";- protects against user-uploaded content, which is relevant because of the Documents API and serving of that user content
X-XSS-Protection: "1; mode=block";- note that this is not honored by most browsers anymore, but it doesn't hurt to include it
Content-Security-Policy- opt-in, configure the deployment playbook accordingly
Feature-Policy: "autoplay 'none'; camera 'none'" always;- there's no need for these :-)
X-Frame-Optionsis set toDENY- no (i)frames are allowed at all