-
-
Notifications
You must be signed in to change notification settings - Fork 959
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add headers for a more secure PWA. #1823
base: main
Are you sure you want to change the base?
Conversation
Implement a few headers for the PWA to protect the application against Clickjacking and XSS attacks.
api/docker/caddy/Caddyfile
Outdated
@@ -47,6 +47,18 @@ route { | |||
# Add links to the API docs and to the Mercure Hub if not set explicitly (e.g. the PWA) | |||
header ?Link `</docs.jsonld>; rel="http://www.w3.org/ns/hydra/core#apiDocumentation", </.well-known/mercure>; rel="mercure"` | |||
|
|||
# Set headers for protection against XSS, clickjacking and MIME-sniffing. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Couldn't this block be merged with the previous line defining the Link
header?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree, will update the pull request
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I mean can't we move ?Link
</docs.jsonld>; rel="http://www.w3.org/ns/hydra/core#apiDocumentation", </.well-known/mercure>; rel="mercure"
inside the header / {
block?
@johnhout I updated your PR, but according to OWASP the |
This will need to be reorganized once #1893 is merged -- it's not correct to have |
We should use the Next.js config instead, so there will be set even if the user doesn't use Caddy: https://nextjs.org/docs/advanced-features/security-headers |
Implement a few headers for the PWA to protect the application against Clickjacking and XSS attacks based on the OWASP guidelines.