We can ensure more security by updating the Content Security Policy header (which is currently only frame-ancestors 'none'). This ensures scripts, http, styles, fonts, and other data are only loaded from trusted sources. A good resource can be found here. The work here is to figure out exactly which sources we currently load things from, such as firebase and the google apis, and whitelist them in the CSP. A missing whitelist could break the functionality of the site. This header (and other extra HTTP headers) are configured via an AWS Lambda@Edge function which can be edited from the Covid Watch AWS.
We can ensure more security by updating the Content Security Policy header (which is currently only
frame-ancestors 'none'). This ensures scripts, http, styles, fonts, and other data are only loaded from trusted sources. A good resource can be found here. The work here is to figure out exactly which sources we currently load things from, such as firebase and the google apis, and whitelist them in the CSP. A missing whitelist could break the functionality of the site. This header (and other extra HTTP headers) are configured via an AWS Lambda@Edge function which can be edited from the Covid Watch AWS.