search

KlimaDAO / klimadao

Monorepo for the official KlimaDAO site, dApp, components and design system.
https://klimadao.finance
MIT License
95 stars 73 forks source link

Set HTTP security headers for Vercel hosted subdomains #107

Closed gord0b closed 2 years ago

gord0b commented 2 years ago

To improve the security of the applications, Set HTTP security headers for Vercel hosted subdomains, as none exist currently except HSTS.

Apply Headers for vercel.com hosted sites in next.config.js, as per: https://nextjs.org/docs/advanced-features/security-headers

Vercel Hosting, security headers to be set for the following Subdomains;

#Check Current Header Config CMD: curl -i http://dapp.klimadao.finance

# Security headers Information, OverviewNFO: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers

Headers: Proposed HTTP security headers; { key: 'Strict-Transport-Security', value: 'max-age=31536000; includeSubDomains' } { key: 'X-XSS-Protection', value: '0' } { key: 'X-Frame-Options', value: 'SAMEORIGIN' } { key: 'X-Content-Type-Options', value: 'nosniff' } { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' } { key: 'Content-Security-Policy', value: 'upgrade-insecure-requests' }

Atmosfearful commented 2 years ago

Questions/comments:

  1. why do we want upgrade-insecure-requests for CSP? Is there a safer option? I think the default is safer but I'm not too familiar.
  2. X-XSS-Protection is not supported in modern browsers according to MDN, lets skip that.
  3. for STP lets do Strict-Transport-Security: max-age=63072000; includeSubDomains; preload as recommended by MDN
  4. we don't want to support iframes in any capacity
  5. strict-origin-when-cross-origin is the default for browsers when none is set

thoughts @gord0b ?

gord0b commented 2 years ago

1: Upgrade-insecure-requests, https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests, - it's just a start for a CSP policy, as we can tighten further down the line with - https://content-security-policy.com/hash/ or - https://content-security-policy.com/nonce/. CPS policy is great, you have to explicitly allow, so testing is required.

2: X-XSS-Protection - Yes hence it should be explicitly turned-off using X-XSS-Protection 0;

3: Strict-Transport-Security: - Strict-Transport-Security: max-age=63072000; includeSubDomains; preload. I would suggest starting with Strict-Transport-Security "max-age=31536000; includeSubDomains"; as the first step then ramp-up to max-age=63072000 and preload. Requirements for HSTS preload, as per https://hstspreload.org, "Be aware that inclusion in the preload list cannot easily be undone. Domains can be removed, but it takes months for a change to reach users with a Chrome update and we cannot make guarantees about other browsers. Don't request inclusion unless you're sure that you can support HTTPS for your entire site and all its subdomains in the long term."

4: X-Frame-Options: If not supporting any iframes, X-Frame-Options DENY; is best, yes.

5: Referrer-Policy: Best to explicitly set it and not rely on the browser only. Referrer-Policy "strict-origin-when-cross-origin";

Atmosfearful commented 2 years ago

Thanks for the background I'll try to get these changes in with the redesigned site

Atmosfearful commented 2 years ago

update: we will need to keep iframes for #197

gord0b commented 2 years ago

@0xAeterno - any update on this? thanks

0xAeterno commented 2 years ago

@gord0b - just started working on it today, prioritising this since explicitly defining headers in next.config.js (for CORS) has overridden the default headers set by nextjs