Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: add headers #91

Merged
merged 19 commits into from
May 23, 2024
Merged

chore: add headers #91

merged 19 commits into from
May 23, 2024

Conversation

alexiscolin
Copy link
Member

@alexiscolin alexiscolin commented May 7, 2024
edited
Loading

Add basic security headers. Feel free to add missed one (or missed properties)

@netlify Netlify
Copy link

netlify bot commented May 7, 2024
edited
Loading

Deploy Preview for govgen-governance-dapp ready!

Name Link
🔨 Latest commit 4ecc43c
🔍 Latest deploy log https://app.netlify.com/sites/govgen-governance-dapp/deploys/664ec13862b6de0008e74054
😎 Deploy Preview https://deploy-preview-91--govgen-governance-dapp.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@clockworkgr
Copy link
Member

@kristovatlas can you review this as well?

@kristovatlas
Copy link
Collaborator

kristovatlas commented May 10, 2024
edited
Loading

This looks great. Just a couple notes about Content-Security-Policy:

  • default-src: 'self' can be used to bypass CSP if the domain hosts JSONP content, Angular.js, or user uploaded files which it probably doesn't.
  • Can we set object-src to 'none' ? The object-src directive specifies a source of potentially dangerous HTML elements, such as <object>, <embed>, <applet>, <script>, <frame>, <iframe>, <img>, <style>, <video>, <audio>, and <script>. When set to none, the object-src directive restricts the sources of these elements to none, effectively blocking all inline content from loading. This means that any attempts to load content from an external source will be blocked, and the page will only load content from trusted sources.
  • Down the line, we should look into implementing Trusted Types but I wouldn't worry about it for now.

@alexiscolin
Copy link
Member Author

alexiscolin commented May 12, 2024
edited
Loading

@kristovatlas I've added object-src and made some fix related to inline scripts (broken after the commit).

@kristovatlas
Copy link
Collaborator

Looks good, just left 1 in-line comment about a possible typo @alexiscolin

@alexiscolin
Copy link
Member Author

@Stuyk Do you think you could take a look and check if GH discussion works well? I wouldn't like it to be blocked for some reason at some points after the merge.

@clockworkgr
Copy link
Member

@Stuyk Do you think you could take a look and check if GH discussion works well? I wouldn't like it to be blocked for some reason at some points after the merge.

@Stuyk ?

@alexiscolin alexiscolin enabled auto-merge (squash) May 23, 2024 04:08
@alexiscolin alexiscolin merged commit 9314a10 into main May 23, 2024
10 checks passed
@alexiscolin alexiscolin deleted the chore/headers-content branch May 23, 2024 04:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kristovatlas kristovatlas kristovatlas left review comments

@Stuyk Stuyk Stuyk approved these changes

@clockworkgr clockworkgr clockworkgr approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@alexiscolin @clockworkgr @kristovatlas @Stuyk