Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security headers #30

Closed
4 of 5 tasks
thekid opened this issue Oct 24, 2022 · 2 comments · Fixed by #31
Closed
4 of 5 tasks

Security headers #30

thekid opened this issue Oct 24, 2022 · 2 comments · Fixed by #31
Labels
enhancement New feature or request help wanted Extra attention is needed

Comments

@thekid
Copy link
Member

thekid commented Oct 24, 2022
edited
Loading

Idea

Add a web.frontend.SecurityHeaders API to cover all of: X-Content-Type-Options ✅, Content-Security-Policy, X-Frame-Options, Referrer-Policy and Permissions-Policy, e.g. as follows:

new SecurityHeaders(
  csp: "default-src 'none'; ...",
  framing: 'DENY',  // or: ALLOW, SAMEORIGIN, ALLOW-FROM [URL]
  referrers: 'no-referrer-when-downgrade', // or: strict-origin, origin-when-cross-origin, etcetera 
  permissions: '...'
);
  • Check how to add easy report-only modes for csp and permissions
  • Check how a nonce-notation would work
  • Make framing and referrers accessible via enums
  • Check what could be sensible defaults?
  • ...and if we can find defaults, add these to the frontend and then make them customizable via $frontend->security()->csp(...) instead of always having to add these manually

See https://securityheaders.com/?q=https%3A%2F%2Fdialog.sloppy.zone%2F

Inspired by
@thekid thekid added enhancement New feature or request help wanted Extra attention is needed labels Oct 24, 2022
@thekid
Copy link
Member Author

thekid commented Oct 24, 2022

X-Content-Type-Options: nosniff was added in https://github.com/xp-forge/frontend/releases/tag/v2.1.0

@thekid
Copy link
Member Author

thekid commented Oct 24, 2022
edited
Loading

Sensible defaults

  • X-Content-Type-Options: nosniff
  • X-Frame-Options: DENY
  • Referrer-Policy: strict-origin-when-cross-origin

thekid added a commit that referenced this issue Oct 29, 2022
@thekid
Implement security controls
3294b9e 
Includes X-Content-Type-Options, X-Frame-Options, Referrer-Policy and
Content-Security-Policy (including Report-Only mode)

Implements #30
@thekid thekid mentioned this issue Oct 29, 2022
Merged
@thekid thekid linked a pull request Oct 29, 2022 that will close this issue
Implement default security policies #31
Merged
thekid added a commit that referenced this issue Oct 29, 2022
@thekid
Implement default security policies as requested in #30
2593546
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Implement default security policies xp-forge/frontend
1 participant
@thekid