Open GaProgMan opened 3 years ago
Based on reading both:
It is recommended that the following actions are taken for HTTP-based Rest endpoints:
application/json
and the text encoding of utf-8
application/json
prevents the content from being misinterpreted by the consumerutf-8
prevents JSON hijacking by forcing a different encoding on the request (such as UTF-16BE)X-XSS-Protection
header to 0X-Content-Type-Options
to nosniff
X-Frame-Options
to deny
Cache-Control
header to no-store
Content-Security-Policy
with the following values:
default-src
set to none
frame-ancestors
to none
X-Frame
Options` header valuesandbox
(add this as it's own directive)Server
header
X-Powered-By
header
Server
headerAn example of the full set of headers and values is:
content-type: application/jsonl; charset=utf-8
X-XSS-Protection: 0
X-Content-Type-Options: nosniff
X--Frame-Options: deny
Cache-Control: no-store
Content-Security-Policy: default-src 'none'; frame-ancestors 'none'; sandbox
Description
Now that a small set of features have been added to the code base, let's take some time to investigate any security holes that we can find, and implement any security best practises we can find.
Ideally, this would have been performed at the initial requirements gathering stage and will be repeated as we continue to develop the application.
High-Level Proposed Solution
Considerations
Any changes made to the API, including adding security headers, will likely cause us issues when we integrate with a UI. As the UI has not yet been built, we shouldn't need to worry about that yet. But, it will be useful to have some way of globally disabling any security features (FOR LOCAL DEVELOPMENT ONLY) in a programmatic way. This will enable us to test whether there is something in the security set up which is stopping the UI from working.
Requirements