Set security headers on marketing sites

[franckc]

I'm not aware of any vulnerability. But as good security hygiene we should set security headers on the HTTP responses returned by all our marketing sites (originprotocol.com; ousd.com; story.xyz).
I took a quick inventory by manually inspecting the responses we are currently returning and also by using one of the many tools returned when googling "security header scanner".

Here are my suggestions.

1. strict-transport-security
   See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
   => Let's set: strict-transport-security: max-age=31536000; includeSubdomains

2. x-xss-protection
   See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
   => Let's set: x-xss-protection: 1; mode=block

3. Cross-Origin-Opener-Policy
   See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy
   => Let's set: cross-origin-opener-policy-report-only: same-origin-allow-popups

4. X-Content-Type-Options: nosniff
   See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
   => Let's set: X-Content-Type-Options: nosniff

5. Referrer policy
   See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
   => No action needed. The default is strict-origin-when-cross-origin which I think should be fine.

6. Content-Security-Policy
   See https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
   That one is complicated. Our sites do load some data, img assets and scripts from 3rd party sites. We could take an inventory and add all of them but I'm not positive it's the best way to go. I'd be interested in feedback from our team on what CSP we should use.

• On originprotocol.com we load:
  • Json data from api.coingecko.com
  • JSON data from api.originprotocol.com
  • img.youtube.com
  • *.ingest.sentry.io
  • www.google-analytics.com
  • www.googletagmanager.com
  • www.google.com
• On ousd.com we load:
  • Json data from api.coingecko.com
  • JSON data from api.originprotocol.com
  • JSON data from analytics.ousd.com
  • Img assets from cmsmediaproduction.s3.amazonaws.com
• On story.xyz
  • img.youtube.com

[franckc]

@mikeshultz @nickick @rolandpo Could you please provide feedback on this proposal? I'm not well versed in the myriad of HTTP security headers... thanks :)

[mikeshultz]

eh, I tend to reinvent the wheel every time I dig into things like CSP. Wonder if we could find some guides or buidlers that would help us put together a header package. Either way, I don't have much feedback without digging into it fully.

[rolandpo]

first 4 added in OriginProtocol/ousd.com#36, #85 and OriginProtocol/story.xyz#9

[rolandpo]

strict-transport-security, x-xss-protection, Cross-Origin-Opener-Policy and X-Content-Type-Options headers have been added and merged into the 3 sites. Is there anything else to add?

[franckc]

Awesome. Thanks for adding these headers @rolandpo

Ideally we should also add CSP.
But we have to be careful since it could break loading 3rd party content/scripts.
Lower priority, we can keep this on the backburner for when we have free cycles.