Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set HTTP security headers for Vercel hosted subdomains #107

Closed
gord0b opened this issue Jan 25, 2022 · 6 comments · Fixed by #248
Closed

Set HTTP security headers for Vercel hosted subdomains #107

gord0b opened this issue Jan 25, 2022 · 6 comments · Fixed by #248
Assignees
@0xAeterno

Comments

@gord0b
Copy link
Contributor

gord0b commented Jan 25, 2022
edited
Loading

To improve the security of the applications, Set HTTP security headers for Vercel hosted subdomains, as none exist currently except HSTS.

Apply Headers for vercel.com hosted sites in next.config.js, as per: https://nextjs.org/docs/advanced-features/security-headers

Vercel Hosting, security headers to be set for the following Subdomains;

#Check Current Header Config
CMD: curl -i http://dapp.klimadao.finance

# Security headers Information,
OverviewNFO: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers

Headers: Proposed HTTP security headers;
{
key: 'Strict-Transport-Security',
value: 'max-age=31536000; includeSubDomains'
}
{
key: 'X-XSS-Protection',
value: '0'
}
{
key: 'X-Frame-Options',
value: 'SAMEORIGIN'
}
{
key: 'X-Content-Type-Options',
value: 'nosniff'
}
{
key: 'Referrer-Policy',
value: 'strict-origin-when-cross-origin'
}
{
key: 'Content-Security-Policy',
value: 'upgrade-insecure-requests'
}
@Atmosfearful
Copy link
Collaborator

Atmosfearful commented Jan 25, 2022
edited
Loading

Questions/comments:

  1. why do we want upgrade-insecure-requests for CSP? Is there a safer option? I think the default is safer but I'm not too familiar.
  2. X-XSS-Protection is not supported in modern browsers according to MDN, lets skip that.
  3. for STP lets do Strict-Transport-Security: max-age=63072000; includeSubDomains; preload as recommended by MDN
  4. we don't want to support iframes in any capacity
  5. strict-origin-when-cross-origin is the default for browsers when none is set

thoughts @gord0b ?

@gord0b
Copy link
Contributor Author

gord0b commented Jan 26, 2022
edited
Loading

1: Upgrade-insecure-requests, https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests, - it's just a start for a CSP policy, as we can tighten further down the line with - https://content-security-policy.com/hash/ or - https://content-security-policy.com/nonce/. CPS policy is great, you have to explicitly allow, so testing is required.

2: X-XSS-Protection - Yes hence it should be explicitly turned-off using X-XSS-Protection 0;

3: Strict-Transport-Security: - Strict-Transport-Security: max-age=63072000; includeSubDomains; preload. I would suggest starting with Strict-Transport-Security "max-age=31536000; includeSubDomains"; as the first step then ramp-up to max-age=63072000 and preload. Requirements for HSTS preload, as per https://hstspreload.org,
"Be aware that inclusion in the preload list cannot easily be undone. Domains can be removed, but it takes months for a change to reach users with a Chrome update and we cannot make guarantees about other browsers. Don't request inclusion unless you're sure that you can support HTTPS for your entire site and all its subdomains in the long term."

4: X-Frame-Options: If not supporting any iframes, X-Frame-Options DENY; is best, yes.

5: Referrer-Policy: Best to explicitly set it and not rely on the browser only. Referrer-Policy "strict-origin-when-cross-origin";

@Atmosfearful
Copy link
Collaborator

Thanks for the background I'll try to get these changes in with the redesigned site

@Atmosfearful
Copy link
Collaborator

update: we will need to keep iframes for #197

@gord0b
Copy link
Contributor Author

gord0b commented Mar 7, 2022
edited
Loading

@0xAeterno - any update on this? thanks

@0xAeterno
Copy link
Contributor

0xAeterno commented Mar 8, 2022
edited
Loading

@gord0b - just started working on it today, prioritising this since explicitly defining headers in next.config.js (for CORS) has overridden the default headers set by nextjs

@0xAeterno 0xAeterno mentioned this issue Mar 8, 2022
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@0xAeterno 0xAeterno

Labels
None yet
Projects
Sprint Planning
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

task: set security headers KlimaDAO/klimadao
3 participants
@gord0b @Atmosfearful @0xAeterno