You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm not aware of any vulnerability. But as good security hygiene we should set security headers on the HTTP responses returned by all our marketing sites (originprotocol.com; ousd.com; story.xyz).
I took a quick inventory by manually inspecting the responses we are currently returning and also by using one of the many tools returned when googling "security header scanner".
Content-Security-Policy
See https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
That one is complicated. Our sites do load some data, img assets and scripts from 3rd party sites. We could take an inventory and add all of them but I'm not positive it's the best way to go. I'd be interested in feedback from our team on what CSP we should use.
@mikeshultz@nickick@rolandpo Could you please provide feedback on this proposal? I'm not well versed in the myriad of HTTP security headers... thanks :)
eh, I tend to reinvent the wheel every time I dig into things like CSP. Wonder if we could find some guides or buidlers that would help us put together a header package. Either way, I don't have much feedback without digging into it fully.
strict-transport-security, x-xss-protection, Cross-Origin-Opener-Policy and X-Content-Type-Options headers have been added and merged into the 3 sites. Is there anything else to add?
Awesome. Thanks for adding these headers @rolandpo
Ideally we should also add CSP.
But we have to be careful since it could break loading 3rd party content/scripts.
Lower priority, we can keep this on the backburner for when we have free cycles.
franckc
added
the
P3
Users are not significantly affected, minor cosmetic issue
label
Dec 29, 2022
I'm not aware of any vulnerability. But as good security hygiene we should set security headers on the HTTP responses returned by all our marketing sites (originprotocol.com; ousd.com; story.xyz).
I took a quick inventory by manually inspecting the responses we are currently returning and also by using one of the many tools returned when googling "security header scanner".
Here are my suggestions.
strict-transport-security
See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
=> Let's set:
strict-transport-security: max-age=31536000; includeSubdomains
x-xss-protection
See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
=> Let's set:
x-xss-protection: 1; mode=block
Cross-Origin-Opener-Policy
See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy
=> Let's set:
cross-origin-opener-policy-report-only: same-origin-allow-popups
X-Content-Type-Options: nosniff
See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
=> Let's set:
X-Content-Type-Options: nosniff
Referrer policy
See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
=> No action needed. The default is strict-origin-when-cross-origin which I think should be fine.
Content-Security-Policy
See https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
That one is complicated. Our sites do load some data, img assets and scripts from 3rd party sites. We could take an inventory and add all of them but I'm not positive it's the best way to go. I'd be interested in feedback from our team on what CSP we should use.
The text was updated successfully, but these errors were encountered: