search

koroonakaart / koroonakaart

App to show statistics about the COVID-19 epidemic in Estonia.
https://www.koroonakaart.ee
MIT License
67 stars 33 forks source link

Implement security headers in HTTP response #232

Open neuroactive opened 3 years ago

neuroactive commented 3 years ago

We should add the most important headers recommended on this page to the HTTP response to improve the security of the site:

https://snyk.io/test/website-scanner/?test=210426_AiDc9P_d22dc7cfdf653e3199b8415bcc3c7a26

The following security headers are missing from the website:

HIGH SEVERITY Strict Transport Security A HSTS Policy informing the HTTP client how long to cache the HTTPS only policy and whether this applies to subdomains.

Strict Transport Security documentation LOW SEVERITY X Content Type Options The only defined value, "nosniff", prevents Internet Explorer from MIME-sniffing a response away from the declared content-type. This also applies to Google Chrome, when downloading extensions

X Content Type Options documentation MEDIUM SEVERITY X Frame Options Clickjacking protection: deny - no rendering within a frame, sameorigin - no rendering if origin mismatch, allow-from - allow from specified location, allowall - non-standard, allow from any location

X Frame Options documentation HIGH SEVERITY Content Security Policy A computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context

Content Security Policy documentation LOW SEVERITY X XSS Protection A Cross-site scripting filter

lietu commented 3 years ago

There is no user generated content on the website. The website does not take user input. These are not particularly relevant, and instead you end up creating a more difficult to maintain software in some cases.

HSTS is just something that should be enabled for all domains, yes, it's super easy to do in most cases, use it with subdomains and preload flags.

X-Content-Type-Options is pointless with no user content

X-Frame-Options is pointless with no user input

Content-Security-Policy is pointless with no user content and it not being a high security system with sensitive information etc. - and this worst of all requires very strict control of the build process and libraries loaded externally and manually listing every allowed source in the CSP for every different type of content or it's doing nothing useful at all, and many 3rd parties do not actually document how to use their scripts with CSP so you need to know it pretty well to be able to use it

X-XSS-Protection is again pointless with no user input