pre-commit-ci / issues

public issues for https://pre-commit.ci
17 stars 4 forks source link

Security headers #58

Closed adamchainz closed 3 years ago

adamchainz commented 3 years ago

Both pre-commit.ci and results.pre-commit.ci score F's on security scanners securityheaders.com and Mozilla Observatory.

It would be good to see at least these headers (the ones Django has built-in):

With Flask I believe you can add them yourself or use the flask-talisman project. For GitHub Pages I think you need to add your own layer in front, e.g. CloudFlare + CloudFlare worker to add headers.

asottile commented 3 years ago

this should ~mostly be implemented now. for the github pages sites I've enabled HSTS and X-Content-Type-Options which are a simple toggle in cloudflare. the full set of headers is slightly more work and with (afaict) no benefit (they do not serve dynamic content or clickable forms)

I also went ahead and implemented CSP -- at some point I need to move my styles to a CDN but for now I've made one inline-src exclusion for that

thanks for the report!

adamchainz commented 3 years ago

Great work! 👍