Add basic security via response headers

[jbmoelker]

This change configures response headers for basic security.

The following headers are configured (as explained by securityheaders.com:

• X-Frame-Options tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking. Recommended value "X-Frame-Options: SAMEORIGIN".
• X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is "X-Content-Type-Options: nosniff".
• Referrer Policy is a new header that allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites.

Before: source: https://securityheaders.com/?q=https%3A%2F%2Fproxx.app%2F&hide=on&followRedirects=on

After: source: https://securityheaders.com/?q=https%3A%2F%2Fdeploy-preview-492--gravitongame.netlify.com%2F&hide=on&followRedirects=on

Note security could be tightened further by configuring Content Security Policy and Feature Policy.

[googlebot]

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

:memo: Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here with @googlebot I signed it!) and we'll verify it.

---

What to do if you already signed the CLA

Individual signers

• It's possible we don't have your GitHub username or you're using a different email address on your commit. Check your existing CLA data and verify that your email is set on your git commits.

Corporate signers

• Your company has a Point of Contact who decides which employees are authorized to participate. Ask your POC to be added to the group of authorized contributors. If you don't know who your Point of Contact is, direct the Google project maintainer to go/cla#troubleshoot (Public version).
• The email used to register you as an authorized contributor must be the email used for the Git commit. Check your existing CLA data and verify that your email is set on your git commits.
• The email used to register you as an authorized contributor must also be attached to your GitHub account.

ℹ️ Googlers: Go here for more info.

[jbmoelker]

https://github.com/GoogleChromeLabs/proxx/pull/492#issuecomment-517982145 I signed the CLA. However I can't find if the email address I signed the CLA and the one I created the commit with are the same :-/ Will figure this out when I have more time.

[jakearchibald]

The site is entirely static, and doesn't store any data that is exposed without these headers. Or am I missing something?

Can you summarise the issues this PR solves with PROXX?

[jbmoelker]

Hi Jake, I think you are absolutely right that you can skip most of this for PROXX.

I think the only essential header is X-Frame-Options: SAMEORIGIN. This prevents someone from running the app in an iframe on for example proxxx.app and then click-jacking users.

The other header that might be good is Strict-Transport-Security: max-age=63072000; includeSubDomains; preload. Though I think you are already setting HSTS via the Netlify admin panel. The only reason to put it here would be so others using PROXX as a reference would copy the same best practice for this.

I'm happy to change the PR (or create a new one with my signed CLA account). But I also understand if you just want to close this PR.

[jakearchibald]

I think the only essential header is X-Frame-Options: SAMEORIGIN. This prevents someone from running the app in an iframe on for example proxxx.app and then click-jacking users.

I understand the risks of click-jacking for something like Amazon/Facebook, where clicks can result in buying something, or changing user's settings, but it doesn't seem like such a big deal here.

I guess better safe than sorry though.

[PaulKinlan]

Just an FYI, the game was embedded on the chrome blog - I am not sure we want to limit iframes, but open to being told otherwise.

On Tue, 6 Aug 2019 at 17:33, Jake Archibald notifications@github.com wrote:

I think the only essential header is X-Frame-Options: SAMEORIGIN. This prevents someone from running the app in an iframe on for example proxxx.app and then click-jacking users.

I understand the risks of click-jacking for something like Amazon/Facebook, where clicks can result in buying something, or changing user's settings, but it doesn't seem like such a big deal here.

I guess better safe than sorry though.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/GoogleChromeLabs/proxx/pull/492?email_source=notifications&email_token=AAALDRQ5ECDTHLBZIXDSZ4TQDGRWRA5CNFSM4IJEWAKKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD3VXBTQ#issuecomment-518746318, or mute the thread https://github.com/notifications/unsubscribe-auth/AAALDRWWUBBVMW3CA6UG7O3QDGRWRANCNFSM4IJEWAKA .

[jakearchibald]

Ohh well remembered

[jbmoelker]

I guess it would be bad for the embed to fail. And this PR has limited benefits. So I'm closing it. Ping me if I should create a new one :) Ow, and keep making PROXX awesome!