Closed adamchainz closed 3 years ago
this should ~mostly be implemented now. for the github pages sites I've enabled HSTS and X-Content-Type-Options which are a simple toggle in cloudflare. the full set of headers is slightly more work and with (afaict) no benefit (they do not serve dynamic content or clickable forms)
I also went ahead and implemented CSP -- at some point I need to move my styles to a CDN but for now I've made one inline-src
exclusion for that
thanks for the report!
Great work! 👍
Both pre-commit.ci and results.pre-commit.ci score F's on security scanners securityheaders.com and Mozilla Observatory.
It would be good to see at least these headers (the ones Django has built-in):
Strict-Transport-Security
- on the root domain, addincludeSubdomains
andpreload
then submit to https://hstspreload.org/X-Frame-Options: DENY
Referrer-Policy: same-origin
X-Content-Type-Options: nosniff
With Flask I believe you can add them yourself or use the flask-talisman project. For GitHub Pages I think you need to add your own layer in front, e.g. CloudFlare + CloudFlare worker to add headers.