Open franckc opened 1 year ago
@mikeshultz @nickick @rolandpo Could you please provide feedback on this proposal? I'm not well versed in the myriad of HTTP security headers... thanks :)
eh, I tend to reinvent the wheel every time I dig into things like CSP. Wonder if we could find some guides or buidlers that would help us put together a header package. Either way, I don't have much feedback without digging into it fully.
strict-transport-security, x-xss-protection, Cross-Origin-Opener-Policy and X-Content-Type-Options headers have been added and merged into the 3 sites. Is there anything else to add?
I'm not aware of any vulnerability. But as good security hygiene we should set security headers on the HTTP responses returned by all our marketing sites (originprotocol.com; ousd.com; story.xyz). I took a quick inventory by manually inspecting the responses we are currently returning and also by using one of the many tools returned when googling "security header scanner".
Here are my suggestions.
strict-transport-security See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security => Let's set:
strict-transport-security: max-age=31536000; includeSubdomains
x-xss-protection See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection => Let's set:
x-xss-protection: 1; mode=block
Cross-Origin-Opener-Policy See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy => Let's set:
cross-origin-opener-policy-report-only: same-origin-allow-popups
X-Content-Type-Options: nosniff See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options => Let's set:
X-Content-Type-Options: nosniff
Referrer policy See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy => No action needed. The default is strict-origin-when-cross-origin which I think should be fine.
Content-Security-Policy See https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP That one is complicated. Our sites do load some data, img assets and scripts from 3rd party sites. We could take an inventory and add all of them but I'm not positive it's the best way to go. I'd be interested in feedback from our team on what CSP we should use.