Add some HTTP security-related headers

[oliv3]

Hi, This PR adds some HTTP headers that will raise the grade from F to B (Grafana), F to A (Node-Red) on https://securityheaders.com. Also, https://www.ssllabs.com now gives an A+. @terrillmoore There are still Referrer-Policy and Feature-Policy left to be defined, but those are kind of touchy. If you have any ideas, please let me know ! Regards,

[terrillmoore]

This looks good to me, thank you. You ready for me to merge?

[oliv3]

Hi, please don't yet. Some last minutes changes to be fixed:

• noticed the double Http Only rewrite for grafana cookies
• also droping (my previously wrong) CSP header for Grafana sends back to B
• also not sure if influxdb deserves all those headers ?
• node red looks ok
• had to add the cookie proxy pass rewrite for Grafana since that would break cookies for Traccar (the other app I'm adding right now, but no idea if this would be of interest to you) Basically it's not that urgent to merge this, better take some more time ?

[oliv3]

Also noticed that using grafana/grafana:latest grabs 5.2.4, when 5.3.0 is available. Would not go using master neither, maybe 5.3 images are not yet available ?

[terrillmoore]

I'm willing to wait. No rush. I've not had a chance to run the ssllabs tests on this, so this is definitely important work.

[oliv3]

@terrillmoore I think it's ok now !

• ssllabs.com: A+
• securityheaders.com:
  • A+ for InfluxDB
  • A for Grafana and Node-Red

[terrillmoore]

Thanks!

[oliv3]

You're welcome ! Found a #ttn on freenode is this related to the project ?

[terrillmoore]

I'm not much involved with freenode (slack, etc., sort of fill my time) -- it's possible. #ttn is often used as the abbreviation for "The Things Network". There's much traffic at thethingsnetwork.org and on the global thingsnetwork slack; not sure if they also have a freenode group.

[oliv3]

Religion forbids me using proprietary software :( And yes, there is a #ttn on freenode. 3 folks including me :)