search

codeformuenster / muenster-jetzt

https://muenster-update.de/
MIT License
3 stars 0 forks source link

Security HTTP headers? #39

Open ubergesundheit opened 4 years ago

ubergesundheit commented 4 years ago

I think we should configure our server to send security HTTP headers

X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Referrer-Policy no-referrer-when-downgrade

This could be done though traefik or should front and backend containers send these?

I think it would be good to send common ones through traefik and then send service specific ones by the application containers (CORS by backend for example)

bCyberBasti commented 4 years ago

I don't have a clear opinion on this. I only have the feeling that doing this in two places could be confusing and it is maybe better to set all headers in frontend and backend explicitly without any "magic headers" in traefik.. would love to hear more arguments from more people :) @jdemaeyer maybe 😉 ?

jdemaeyer commented 4 years ago

I also prefer setting common headers in a common place (e.g. in Traefik) rather than re-implementing them in every service. It's nice to have the backend focus on backend business logic, and have stuff like security headers in the reverse proxy, given that that's the part of the system responsible for talking to the outside world

ubergesundheit commented 4 years ago

Let us take a step back and try to compile a list of headers the different services should (or need) to send. The frontend for example shouldn’t send CORS headers.

I‘ll update this comment once I have access to a stationary computer

bCyberBasti commented 4 years ago

Let us take a step back and try to compile a list of headers the different services should (or need) to send.

Good idea

The frontend for example shouldn’t send CORS headers.

Just an idea: maybe we need some places in frontend where we allow CORS.. guess for now it could be the kiosk view.. maybe later we offer some widgets like todays top event that you can embed in other websites?

That could be the point where we run into problems with generalised headers somewhere else?

ubergesundheit commented 4 years ago

Just an idea: maybe we need some places in frontend where we allow CORS.. guess for now it could be the kiosk view.. maybe later we offer some widgets like todays top event that you can embed in other websites?

No need for CORS headers for resources loaded by iframe, link or script tags.

bCyberBasti commented 4 years ago

No need for CORS headers for resources loaded by iframe, link or script tags.

yep but X-Frame wich shouldn't be used in e.g. a (maybe implemented in the future) login page for an admin interface 😉

ubergesundheit commented 4 years ago

54 will add CSP through a <meta> HTML header