Closed callahan22 closed 3 years ago
Thanks for the suggestions! I'll play around with these and see if I can add some of them to index.html
as http-equiv meta headers, so they're web server independent and enabled by default. CSP can be somewhat tricky to configure, and STS can be risky to enable by default without fully knowing the implications of doing so.
I've committed CSP to index.html now. img-src
is set to * data:
to accommodate users picking any map provider they want, and not just OpenStreetMap. Permissions-Policy cannot be set via HTML meta tags, so I'm holding off implementing that. Making it a recommendation in the README could also cause problems in the future, if more features are added that require functions that are blocked by whatever default policy we set. Permissions-Policy also has very poor browser coverage currently.
For those of you that want to get an A+ at something like https://securityheaders.com, I have been hardening up the nginx reverse proxy config. Included below for those that are interested.
Edit - Looks like I spoke too soon. While no issues are seen on the site. The app, fails to show the maps. Assuming this is the CSP preventing the pulling in of maps from openstreetmap. Will put some more work into finding out cause....
Edit 2 - Fixed. Needed some adjustment to the Content-Security-Policy.