Closed ctm closed 7 months ago
Now that we're using HSTS, we get a C-. I think the other ones are even easier to fix than adding HSTS, because I don't think there are other hoops to jump through for local development (like creating a self-signed certificate and then having to tell the development machine to trust it).
I got it up to B+ fairly easily and am deploying now. To get a higher rating I need to tighten our Content Security Policy. I don't think that's going to be particularly hard, but it'll have me mucking with stuff I'm not particularly well versed in.
We now have an A+. There is still a little bit of ugliness:
wss://ws.craftpoker.com
as a connect-src
, because the hostname isn't available in DefaultHeaders
unsafe-eval
as a script-src
because we use WASM and I couldn't find any workaroundI'll create a GitHub issue for our use of inline styles and even for the connect-src
hardcode, but will leave the other two alone for now.
Fix the issues that a scan of craftpoker.com shows.
I wasn't aware of that analyzer until now. I found it while looking at implementing HSTS as part of my solution to us not redirecting to HTTPS (#1321).