Open neuroactive opened 3 years ago
There is no user generated content on the website. The website does not take user input. These are not particularly relevant, and instead you end up creating a more difficult to maintain software in some cases.
HSTS is just something that should be enabled for all domains, yes, it's super easy to do in most cases, use it with subdomains and preload flags.
X-Content-Type-Options is pointless with no user content
X-Frame-Options is pointless with no user input
Content-Security-Policy is pointless with no user content and it not being a high security system with sensitive information etc. - and this worst of all requires very strict control of the build process and libraries loaded externally and manually listing every allowed source in the CSP for every different type of content or it's doing nothing useful at all, and many 3rd parties do not actually document how to use their scripts with CSP so you need to know it pretty well to be able to use it
X-XSS-Protection is again pointless with no user input
We should add the most important headers recommended on this page to the HTTP response to improve the security of the site:
https://snyk.io/test/website-scanner/?test=210426_AiDc9P_d22dc7cfdf653e3199b8415bcc3c7a26