investiguer et corriger la note HTTP du dashlord

alice-telescoop commented 1 year ago

cf src utiliser un middleware pour ajouter des headers partout

### Tasks
- [x] CSP header
- [x] HSTS header http -> https redirection
- [x] XFO header
- [x] ~X-XSS protection header~
- [x] X-Content-Type-Options

alice-telescoop commented 1 year ago

header key	api	front
Content-Security-Policy	`default-src 'none'`	cf ci-dessous
HSTS	`max-age=63072000; includeSubDomains; preload`	`max-age=63072000; includeSubDomains; preload`
XFO	`DENY`	`DENY`
~X-XSS~	:x:	:x:
X-Content-Type-Options	`nosniff`	`nosniff`

default-src 'none'; 
connect-src 'self' https://api-subvention-asso-prod.osc-secnum-fr1.scalingo.io/ https://client.crisp.chat/ wss://client.relay.crisp.chat/w/b1/;
font-src 'self' https://client.crisp.chat; 
img-src 'self' 
data: https://image.crisp.chat; 
script-src 'unsafe-eval'

alice-telescoop commented 1 year ago

+ Cache-Control max-age 1800

alice-telescoop commented 1 year ago

https://docs.crisp.chat/guides/others/whitelisting-our-systems/crisp-domain-names/

alice-telescoop commented 1 year ago

https://owasp.org/www-project-secure-headers https://github.com/ovh/venom#installing

si on veut aller plus loin plus tard

betagouv / api-subventions-asso

investiguer et corriger la note HTTP du dashlord #1407