Closed vejja closed 1 month ago
The latest updates on your projects. Learn more about Vercel for Git ↗︎
Name | Status | Preview | Comments | Updated (UTC) |
---|---|---|---|---|
nuxt-security | ✅ Ready (Inspect) | Visit Preview | 💬 Add feedback | May 21, 2024 9:08am |
@Baroshem could you please check the new default values ? I copied them from https://owasp.org/www-project-secure-headers/#configuration-proposal but there are 2 things you may want to verify:
let me know what you want to do I’ll update the docs after that
Hey there!
Sorry for no contact from my side as I was quite budy recently.
I would update every property do that we will be up to date with the current state of Owasp and I think I would go for a cheatsheet. I went with Node.js Security Cheatsheet when I was implementing other features.
Hey there!
Sorry for no contact from my side as I was quite budy recently.
I would update every property do that we will be up to date with the current state of Owasp and I think I would go for a cheatsheet. I went with Node.js Security Cheatsheet when I was implementing other features.
Actually I compared the cheatsheet with the recommendation and they are pretty close. The only significant difference is on permissions policy, where the cheat sheet only gives an example but the Best Practice is way more strict.
I'll update CSP for block-all-mixed-content
and add the clearSiteData
header and I think we'll be good to go.
Awesome, thank you for looking into that!
After in-depth review, I think it is better to not make further changes:
block-all-mixed-content
is marked as obsolete, MDN recommends not to use it. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-contentClear-Site-Data
header clears all cookies, storage and cache. Forcibly setting this as default would result in substantial issues in the average Nuxt app. It is better to leave it up to the app owner to implement it on a case-by-case basis. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-DataI'm marking this PR as ready, let me know if good to you @Baroshem
@vejja
Your comment is valid - let's not add these values and be up to date with MDN. Thanks for that! I will be merging this PR to the RC branch :)
Closes #232
Types of changes
Description
This PR updates the default configuration values of Security Headers to conform to the OWASP recommendations
See OWASP Secure Headers Project
Checklist: