Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add headers for a more secure PWA. #1823

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Add headers for a more secure PWA. #1823

wants to merge 3 commits into from

Conversation

johnhout
Copy link

@johnhout johnhout commented Feb 23, 2021
edited

Q A
Branch? main
Bug fix? yes/no
New feature? no
Deprecations? no
Tickets Ran into this issue on my own instead of adding an issue added a pull request.
License MIT

Implement a few headers for the PWA to protect the application against Clickjacking and XSS attacks based on the OWASP guidelines.

@johnhout
Add headers for a more secure PWA.
c5266b3 
Implement a few headers for the PWA to protect the application against Clickjacking and XSS attacks.
@soyuka soyuka requested a review from dunglas February 23, 2021 13:54
dunglas
dunglas reviewed Mar 1, 2021
View reviewed changes
api/docker/caddy/Caddyfile Outdated
@@ -47,6 +47,18 @@ route {
# Add links to the API docs and to the Mercure Hub if not set explicitly (e.g. the PWA)
header ?Link `</docs.jsonld>; rel="http://www.w3.org/ns/hydra/core#apiDocumentation", </.well-known/mercure>; rel="mercure"`

# Set headers for protection against XSS, clickjacking and MIME-sniffing.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couldn't this block be merged with the previous line defining the Link header?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree, will update the pull request

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mean can't we move ?Link </docs.jsonld>; rel="http://www.w3.org/ns/hydra/core#apiDocumentation", </.well-known/mercure>; rel="mercure" inside the header / { block?

@dunglas
Copy link
Member

dunglas commented Mar 16, 2021

@johnhout I updated your PR, but according to OWASP the X-XSS-Protection header is deprecated and should be replaced by a Content Security Policy, and the Referrer-Policy should be set. WDYT?

@francislavoie
Copy link
Contributor

This will need to be reorganized once #1893 is merged -- it's not correct to have ? header defaults in the same header handler as other rules.

@dunglas
Copy link
Member

dunglas commented Sep 13, 2022

We should use the Next.js config instead, so there will be set even if the user doesn't use Caddy: https://nextjs.org/docs/advanced-features/security-headers

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dunglas dunglas dunglas left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
Needs work
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@johnhout @dunglas @francislavoie @vincentchalamon