Add headers for a more secure PWA. #1823
Conversation
Implement a few headers for the PWA to protect the application against Clickjacking and XSS attacks.
api/docker/caddy/Caddyfile
Outdated
| @@ -47,6 +47,18 @@ route { | |||
| # Add links to the API docs and to the Mercure Hub if not set explicitly (e.g. the PWA) | |||
| header ?Link `</docs.jsonld>; rel="http://www.w3.org/ns/hydra/core#apiDocumentation", </.well-known/mercure>; rel="mercure"` | |||
|
|
|||
| # Set headers for protection against XSS, clickjacking and MIME-sniffing. | |||
There was a problem hiding this comment.
Couldn't this block be merged with the previous line defining the Link header?
There was a problem hiding this comment.
Agree, will update the pull request
There was a problem hiding this comment.
I mean can't we move ?Link </docs.jsonld>; rel="http://www.w3.org/ns/hydra/core#apiDocumentation", </.well-known/mercure>; rel="mercure" inside the header / { block?
|
@johnhout I updated your PR, but according to OWASP the |
|
This will need to be reorganized once #1893 is merged -- it's not correct to have |
|
We should use the Next.js config instead, so there will be set even if the user doesn't use Caddy: https://nextjs.org/docs/advanced-features/security-headers |
|
I guess this PR was superseded by the merge of #1893 ? |
|
My PR did something different than this @rvanlaak it was fixing a config bug related to I don't think this PR is needed though, those additional "security headers" should be set in the API Platform app itself (via a middleware) as needed and not set in the web server. Those security headers are an application-layer concern, not a webserver-layer. |
Implement a few headers for the PWA to protect the application against Clickjacking and XSS attacks based on the OWASP guidelines.