[TODO] Improved security headers #821
Comments
|
Top stuff, thanks! I'll implements this (and other tasks) in the next weeks / asap! |
|
@panique Any plans on adding this? :) I understand you have been extremely busy. |
|
|
Hi, Just to help some people out, to fix these errors you want to add this into your .htaccess file. Please read up on the Content-Security-Policy as you will need to fine tune it for your needs. e.g I use cloudinary and call jquery from googleapis, so needed to add that to enable the scripts to run. An error is thrown in the browser's debug console so they are easy to fix. Cheers ` Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' www.google-analytics.com *.cloudflare.com *.googleapis.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: *.cloudflare.com *.cloudinary.com" Header always set Referrer-Policy "same-origin" <FilesMatch ".(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$"> |
|
@CaptainKarma or @panique kindly submit a pull request for this. |
The code is missing some important headers
https://securityheaders.io/?q=http%3A%2F%2F104.131.8.128%2Flogin%2Findex&followRedirects=on
Here's facebook for comparsion:
https://securityheaders.io/?q=facebook.com&followRedirects=on
and google:
https://securityheaders.io/?q=https%3A%2F%2Faccounts.google.com%2FServiceLogin%3Fhl%3Dde%26passive%3Dtrue%26continue%3Dhttp%3A%2F%2Fwww.google.de%2F%253Fgfe_rd%253Dcr%2526ei%253DR7nCV-GEJc3b8AeWoYLwDQ&followRedirects=on
And while not implementing we should mention the importance of SSL in the readme file.
The text was updated successfully, but these errors were encountered: