feat(core) : owasp default values

[vejja]

Closes #232

Types of changes

• Bug fix (a non-breaking change which fixes an issue)
• New feature (a non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Description

This PR updates the default configuration values of Security Headers to conform to the OWASP recommendations

See OWASP Secure Headers Project

Checklist:

• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have added tests to cover my changes (if not applicable, please state why)

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
nuxt-security	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	May 21, 2024 9:08am

[vejja]

@Baroshem could you please check the new default values ?
I copied them from https://owasp.org/www-project-secure-headers/#configuration-proposal but there are 2 things you may want to verify:

• there are other recommended headers that we do not set: shall we add them ?
• the OWASP cheat sheets have different values : https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html

let me know what you want to do
I’ll update the docs after that

[Baroshem]

Hey there!

Sorry for no contact from my side as I was quite budy recently.

I would update every property do that we will be up to date with the current state of Owasp and I think I would go for a cheatsheet. I went with Node.js Security Cheatsheet when I was implementing other features.

[vejja]

Hey there!

Sorry for no contact from my side as I was quite budy recently.

I would update every property do that we will be up to date with the current state of Owasp and I think I would go for a cheatsheet. I went with Node.js Security Cheatsheet when I was implementing other features.

Actually I compared the cheatsheet with the recommendation and they are pretty close. The only significant difference is on permissions policy, where the cheat sheet only gives an example but the Best Practice is way more strict.
I'll update CSP for block-all-mixed-content and add the clearSiteData header and I think we'll be good to go.

[Baroshem]

Awesome, thank you for looking into that!

[vejja]

After in-depth review, I think it is better to not make further changes:

• CSP block-all-mixed-content is marked as obsolete, MDN recommends not to use it. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content
• Clear-Site-Data header clears all cookies, storage and cache. Forcibly setting this as default would result in substantial issues in the average Nuxt app. It is better to leave it up to the app owner to implement it on a case-by-case basis. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Data

I'm marking this PR as ready, let me know if good to you @Baroshem

[Baroshem]

@vejja

Your comment is valid - let's not add these values and be up to date with MDN. Thanks for that! I will be merging this PR to the RC branch :)