-
Notifications
You must be signed in to change notification settings - Fork 74
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Set HTTP security headers for Vercel hosted subdomains #107
Comments
Questions/comments:
thoughts @gord0b ? |
1: Upgrade-insecure-requests, https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests, - it's just a start for a CSP policy, as we can tighten further down the line with - https://content-security-policy.com/hash/ or - https://content-security-policy.com/nonce/. CPS policy is great, you have to explicitly allow, so testing is required. 2: X-XSS-Protection - Yes hence it should be explicitly turned-off using 3: Strict-Transport-Security: - 4: X-Frame-Options: If not supporting any iframes, 5: Referrer-Policy: Best to explicitly set it and not rely on the browser only. |
Thanks for the background I'll try to get these changes in with the redesigned site |
update: we will need to keep iframes for #197 |
@0xAeterno - any update on this? thanks |
@gord0b - just started working on it today, prioritising this since explicitly defining headers in |
To improve the security of the applications, Set HTTP security headers for Vercel hosted subdomains, as none exist currently except HSTS.
Apply Headers for vercel.com hosted sites in next.config.js, as per: https://nextjs.org/docs/advanced-features/security-headers
Vercel Hosting, security headers to be set for the following Subdomains;
#Check Current Header Config
CMD:
curl -i http://dapp.klimadao.finance
# Security headers Information,
OverviewNFO: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
Strict-Transport-Security: '730 days=63072000 s, just this domain' currently set, 1 year is acceptable for a domain with includeSubDomains, INFO: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
X-XSS-Protection: 'None Set', INFO: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection.
Update: Cross_Site_Scripting_Prevention_Cheat_Sheet OWASP/CheatSheetSeries#376 (comment)
https://github.com/owncloud/core/issues/38236#issuecomment-748451720
Should x-xss-protection default to “0” instead of “1; mode=block” github/secure_headers#439
X-Frame-Options: 'None Set', INFO: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
X-Content-Type-Options: 'None Set': INFO: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
Referrer-Policy: 'None Set': INFO: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
Content-Security-Policy: 'None Set': Start with a basic CSP policy then harden. INFO: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
Headers: Proposed HTTP security headers;
{
key: 'Strict-Transport-Security',
value: 'max-age=31536000; includeSubDomains'
}
{
key: 'X-XSS-Protection',
value: '0'
}
{
key: 'X-Frame-Options',
value: 'SAMEORIGIN'
}
{
key: 'X-Content-Type-Options',
value: 'nosniff'
}
{
key: 'Referrer-Policy',
value: 'strict-origin-when-cross-origin'
}
{
key: 'Content-Security-Policy',
value: 'upgrade-insecure-requests'
}
The text was updated successfully, but these errors were encountered: