Security Headers

[HalosGhost]

With the current implementation, https://securityheaders.io gives me an FA.

We must implement the following things to get us to an A+:

• [x] Content-Security-Policy
• [x] X-Frame-Options
• [x] X-XSS-Protection
• [x] X-Content-Type-Options
• [x] Referrer-Policy
• [ ] Feature-Policy
• [x] Strict-Transport-Security
• [ ] Expect-CT

[HalosGhost]

With the top five completed, we now score an A. Fully implementing Feature-Policy will require a bit more work as we cannot use lwan's built-in response headers (we need to prepare the headers ourselves due to a length limit). It should be noted that we technically could partially implement it which would give us a better score on securityheaders.io (though it would not meet the spirit of the recommendation, only the letter). For now, #8 takes precedence over Feature-Policy or Expect-CT

[HalosGhost]

8 is complete. I will be waiting for several days to make sure that auto-renewal is functioning. Once it is confirmed to be working, I will enable HSTS. When I do so, I will take the opportunity to enable Expect-CT and Feature-Policy.

[HalosGhost]

Looks like auto-renewal is working beautifully. strict-transport-security, feature-policy and expect-ct are on the way.

[HalosGhost]

strict-transport-security is live (A+ on SSLLabs and SecurityHeaders are ours!). expect-ct is live, but it's not totally clear to me that the report-uri is working. I am scratching feature-policy as we do not use anything from it. I will leave this issue open as I further investigate expect-ct.

[HalosGhost]

The tooling around expect-ct is pretty subpar at the moment, and there is no way to use feature-policy to say “I won't be using any of those, thanks”, so for now, I am closing this issue and cancelling plans for those two headers.