search

KlimaDAO / dash-apps

Dashboard Apps Repo
MIT License
8 stars 11 forks source link

Add HTTP Security Headers #43

Open 0xAurelius opened 2 years ago

0xAurelius commented 2 years ago

Not sure if this will be possible with DOAP, might need to tackle after we move to k8s hosting

from gordob:

NO http security headers set, TLS 1-TLS 1.1 enabled, Obsolete CBC ciphers enabled.

we can set CORS on DOAP, and we can in theory set custom headers on the Dash app as outlined here: https://github.com/plotly/dash-renderer/pull/75

gord0b commented 2 years ago

Specific URL: https://carbon.klimadao.finance

Depreciated TLS Versions: Article states 'March 31, 2022, the minimum default TLS version for custom domains will be 1.2' , https://www.digitalocean.com/blog/new-in-digitalocean-app-platform-glitch-integration, BUT both TLS 1.0 and TLS 1.1 is active.

Test TLS curl -o /dev/null -L -v -s https://carbon.klimadao.finance --tls-max 1.0 curl -o /dev/null -L -v -s https://carbon.klimadao.finance --tls-max 1.1

image

gord0b commented 2 years ago

TLS Change confirmed (OK) - TLS 1.0 & TLS 1.1 not offered any more.

image