search

TASVideos / tasvideos

The code for the live TASVideos website
https://tasvideos.org/
GNU General Public License v3.0
63 stars 28 forks source link

Configure HSTS Preload #118

Closed adelikat closed 2 years ago

adelikat commented 5 years ago

We want to review and revise the response headers we receive, particularly those related to security best practices.

A good resource for getting recommendations and information: https://securityheaders.com/

Remaining TODOs: [] Content Security Policy (current problems are the use of CDNs and inline script tags)] [x] Use HSTS [] submit the site on the HSTS preload list (requires moving to production first) [] Permissions-Policy

TiKevin83 commented 3 years ago

Looks like this is being set up already here? https://github.com/adelikat/tasvideos/blob/6567b24f010015c56d29874164c65379418502b1/TASVideos/Extensions/ApplicationBuilderExtensions.cs#L62 Though clearing x-powered-by doesn't work that way, you have to do it in a web config to direct IIS to overwrite its server headers.

adelikat commented 3 years ago

There is no IIS, that is a windows specific web server technology. Currently we are just using kestral, but would certainly wrap it in apache or nginx, where we might need similar settings

TiKevin83 commented 3 years ago

ah ok I was testing in visual studio where IIS express overrides some of these things, yeah wouldn't apply if you use something else like kestrel

adelikat commented 3 years ago

This was addressed enough, I think. There's still some interesting things we can do but I think this is done enough to bump down the priority

meshuggahtas commented 2 years ago

sec

sec2

So only permission policy missing? Documents here: https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/ https://www.w3.org/TR/permissions-policy-1/

TiKevin83 commented 2 years ago

I would skip that one, MDN docs still mark it as experimental and refer to the old name, in which case I think we can close this

SmashManiac commented 2 years ago

I agree with @TiKevin83 that implementing Permissions-Policy is a bit premature for now since it is not yet a standard and its definition could change at any time.

It's also worth noting that since the new site is finally on production, it should now be possible to set up HSTS to be preloaded.

meshuggahtas commented 2 years ago

For testing once HSTS preloaded: https://hstspreload.org/?domain=tasvideos.org

adelikat commented 2 years ago

HSTS headers have been added sufficiently for hstspreload.org, and I have submitted tasvideos.org for the preload list. Closing this ticket