search

OpenTree-Education / rhizone-lms

A learning management system focused on self-reflection.
https://rhi.zone
BSD 3-Clause Clear License
14 stars 7 forks source link

Security headers should be set in web app responses #54

Open davidvandusen opened 3 years ago

davidvandusen commented 3 years ago

Expected behaviour

Security headers, like Content-Security-Policy should be set in responses to requests for HTML resources, like those for the web app.

Actual behaviour

No additional headers have been configured to be sent for web app responses.

Details and resources

The current idea is still that the web app will be published to an S3 bucket and either served as a website or a CloudFront distribution.

For the time being, it is possible to configure security headers in Nginx, and it might be worth setting that up sooner rather than later so we can settle on what headers are required when we do publish to S3.

Checklist

davidvandusen commented 2 years ago

The webapp is now deployed on Netlify, so the security headers would have to be added the Netlify way:

https://docs.netlify.com/routing/headers/