ajvb
commented
7 years ago I need to review this more in-depth, but I'd say we go for feature parity with https://github.com/twitter/secureheaders - and it looks like you have that already (or nearly).
Open elimisteve opened 7 years ago
ajvb
commented
7 years ago I need to review this more in-depth, but I'd say we go for feature parity with https://github.com/twitter/secureheaders - and it looks like you have that already (or nearly).
elimisteve
commented
7 years ago @ajvb Sounds good :+1:
ajvb
commented
7 years ago Two missing from gosecure that are in secureheaders:
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: noneX-Download-Options - IE8 specific - http://www.nwebsec.com/HttpHeaders/SecurityHeaders/XDownloadOptions
X-Permitted-Cross-Domain-Policies - Specific to Flash and PDF's - https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xpcdp
elimisteve
commented
7 years ago @ajvb Want to make that trivial Go function and send a PR to https://github.com/cryptag/gosecure adding the X-Download-Options: noopen header?
elimisteve
commented
7 years ago Or add more ideas here and then implement several at once :-)
ajvb
commented
7 years ago :) Sounds good. I'd love to see if there are anymore I missed that are worth adding.
elimisteve
commented
6 years ago Note to self: look into using not just https://github.com/cryptag/gosecure , but https://github.com/unrolled/secure for this purpose.
@ajvb We're already doing all these https://github.com/cryptag/gosecure/blob/master/gosecure.go
There is probably more we can do: https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet