search

datakaveri / dx-acl-apd

DX-ACL-APD
https://redocly.github.io/redoc/?url=https://raw.githubusercontent.com/datakaveri/dx-acl-apd/main/docs/openapi.yaml
Apache License 2.0
0 stars 8 forks source link

[Feature] Security Headers at Vert.x API server #164

Open abhi4578 opened 2 months ago

abhi4578 commented 2 months ago

Thanks you for filling out this feature request report :vulcan_salute:

Description:

Right now, the security headers spans nginx and over vert.x. Some implemented at nginx level and some at vert.x. And there is heterogeneity in which security headers each vert.x based API server implements.

Suggestion:

We can implement all (almost all, except for SSL related configuration , which will enabled at nginx) security headers at vert.x. API server level!

Alternatives:

Anything else:

Ref: https://github.com/datakaveri/iudx-deployment/blob/f56e347ec671233205ceb399db966769363ebf2d/Docker-Swarm-deployment/single-node/nginx/example-configs/conf/acl-apd.conf#L10

Gokul-KG commented 1 month ago

Security headers that are generally static and can be applied globally across all applications should be handled at the NGINX level. This includes:

Referrer-Policy X-Frame-Options X-XSS-Protection X-Permitted-Cross-Domain-Policies

Headers that may need to be dynamically adjusted based on specific application needs, such as: Cross-Origin-Embedder-Policy Cross-Origin-Resource-Policy

should be handled at the Vert.x application level

If our current servers are already using the same static security headers across all applications, we should keep them managed at the NGINX level for consistency. For any cases where dynamic behavior or application-specific changes are required, we will implement those at the Vert.x level.