Security headers misconfigured
Closed this issue · 4 comments
Some security headers are missing or misconfigured. These include:
- access-control-allow-origin
- csp, x-frame-options
- hsts
Hey there,
can you clarify why access-control-allow-origin
is miss configured?
Can you also advice for what domains to use csp
and x-frame-options
? E.g. Is it needed on the API host, or is that just for the web static files?
HSTS has been activated now.
ACAO had the value of '*' which means that it is unable to prevent CSRF attacks. Leaving the header out lets browsers default to a safe fallback. I don't have experience with Vue but I don't see why it would be necessary to set it.
x-frame-options can be set strictly, I think. I don't see a reason to use the application in an iframe.
content-security-policy is a bit complicated. I don't have the insight into the application to suggest a good value. It should be as strict as possible. You can use https://csp-evaluator.withgoogle.com/ to check if the value is secure. I see that JS and CSS are hosted on the same domain so you may get away with just default-src self
and allowing calls to Sentry
These recommendations all relate only to the frontend. I haven't checked the API in-depth but I saw that at least ACAO was set properly there.
thanks for the feedback, ill look into it.
In addition, ACAO shouldnt matter for the frontend if am not mistaken?