search

drand / tlock

Timelock Encryption made practical. The Go `tlock` library and the `tle` cmd line tool home to encrypt towards the future.
Apache License 2.0
510 stars 24 forks source link

timevault: missing web site security header #41

Closed CluEleSsUK closed 1 year ago

CluEleSsUK commented 1 year ago
CluEleSsUK commented 1 year ago

Linking PR: https://github.com/drand/timevault/pull/42

CluEleSsUK commented 1 year ago

copying my comment from the PR here for completeness:

I hoped to add: x-frame-options, x-content-type-options and permissions-policy too, but this isn't possible via tags and github pages on cloud enterprise doesn't have an option to manage response headers >.> I checked and strict transport security is already enabled

edit: STS is enabled for me but wasn't a response header - perhaps I inherited it from drand.love mainsite

update: indeed, when I open it in incognito, this also isn't set - HTTP gets redirected to HTTPS though

AnomalRoil commented 1 year ago

We could also put it behind Cloudflare, I guess.

CluEleSsUK commented 1 year ago

Agree - I think that’s the simplest option

AnomalRoil commented 1 year ago

We know have Cloudflare in front of the Github Pages