Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security HTTP headers? #39

Open
ubergesundheit opened this issue Jul 24, 2020 · 7 comments
Open

Security HTTP headers? #39

ubergesundheit opened this issue Jul 24, 2020 · 7 comments
Labels
deployment

Comments

@ubergesundheit
Copy link
Member

I think we should configure our server to send security HTTP headers

X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Referrer-Policy no-referrer-when-downgrade

This could be done though traefik or should front and backend containers send these?

I think it would be good to send common ones through traefik and then send service specific ones by the application containers (CORS by backend for example)
@bCyberBasti
Copy link
Collaborator

I don't have a clear opinion on this. I only have the feeling that doing this in two places could be confusing and it is maybe better to set all headers in frontend and backend explicitly without any "magic headers" in traefik.. would love to hear more arguments from more people :) @jdemaeyer maybe 😉 ?

@jdemaeyer
Copy link
Collaborator

I also prefer setting common headers in a common place (e.g. in Traefik) rather than re-implementing them in every service. It's nice to have the backend focus on backend business logic, and have stuff like security headers in the reverse proxy, given that that's the part of the system responsible for talking to the outside world

@ubergesundheit
Copy link
Member Author

Let us take a step back and try to compile a list of headers the different services should (or need) to send. The frontend for example shouldn’t send CORS headers.

I‘ll update this comment once I have access to a stationary computer

@bCyberBasti
Copy link
Collaborator

Let us take a step back and try to compile a list of headers the different services should (or need) to send.

Good idea

The frontend for example shouldn’t send CORS headers.

Just an idea: maybe we need some places in frontend where we allow CORS.. guess for now it could be the kiosk view.. maybe later we offer some widgets like todays top event that you can embed in other websites?

That could be the point where we run into problems with generalised headers somewhere else?

@ubergesundheit
Copy link
Member Author

Just an idea: maybe we need some places in frontend where we allow CORS.. guess for now it could be the kiosk view.. maybe later we offer some widgets like todays top event that you can embed in other websites?

No need for CORS headers for resources loaded by iframe, link or script tags.

@bCyberBasti
Copy link
Collaborator

No need for CORS headers for resources loaded by iframe, link or script tags.

yep but X-Frame wich shouldn't be used in e.g. a (maybe implemented in the future) login page for an admin interface 😉

@ubergesundheit
Copy link
Member Author

#54 will add CSP through a <meta> HTML header

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
deployment
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ubergesundheit @jdemaeyer @bCyberBasti