[Sec] HTTP security headers

isra00 / neo-transposer

Automatically transpose the chords of the songs of the Neocatechumenal Way so that they fit your voice range. Available in Spanish, Italian, Portuguese, English and Swahili!

http://neo-transposer.com

GNU Affero General Public License v3.0

10 stars 1 forks source link

[Sec] HTTP security headers #163

Closed isra00 closed 2 years ago

isra00 commented 3 years ago

https://observatory.mozilla.org/analyze/neo-transposer.com

Especially:

(-40 pts) Session cookie set without using the Secure flag or set over HTTP
(-25) Content Security Policy (CSP) header not implemented

Set these headers:

Strict Transport Security
X Content Type Options
X Frame Options
Content Security Policy

I wouldn't implement "X XSS Protection", since it's deprecated now and it might prevent inline JS that we use.

isra00 commented 2 years ago

Added also cookie security settings, plus a long cookie lifetime for solving #123

isra00 commented 2 years ago

imagen