Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move security headers into app #1328

Closed
miketaylr opened this issue Feb 3, 2017 · 0 comments
Closed

Move security headers into app #1328

miketaylr opened this issue Feb 3, 2017 · 0 comments
Assignees
@miketaylr
Labels
type: security

Comments

@miketaylr
Copy link
Member

I've added the following security headers to our nginx config. But we should move them into the app, IMO. That way we can easily enable or tweak certain values for certain assets (and do it in python).

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options "DENY";

Relates to #763
@miketaylr miketaylr mentioned this issue Feb 27, 2017
Closed
@miketaylr miketaylr self-assigned this Feb 27, 2017
miketaylr pushed a commit that referenced this issue Feb 27, 2017
Issue #1328. Add security-related headers into @app.after_request.
4af9549 
Note: we don't set STS because localhost is not served over TLS.
Fixes #1328.
miketaylr pushed a commit that referenced this issue Feb 28, 2017
Issue #1328. Add security-related headers into @app.after_request.
1867a69 
Note: we don't set STS because localhost is not served over TLS.
Fixes #1328.
miketaylr pushed a commit that referenced this issue Feb 28, 2017
Issue #1328. Add security-related headers into @app.after_request.
76d625d 
Note: we don't set STS because localhost is not served over TLS.
Fixes #1328.
@karlcow karlcow closed this as completed in fdcacec Mar 2, 2017
karlcow added a commit that referenced this issue Mar 2, 2017
@karlcow
Merge pull request #1367 from /issues/1329/1
f5a9ec6 
Fixes #1329, #1328. Add a CSP reporting endpoint and move security headers into app.
jeanhl pushed a commit to jeanhl/webcompat.com that referenced this issue Mar 10, 2017
@jeanhl
Issue webcompat#1328. Add security-related headers into @app.after_re…
b8c40a9 
…quest.

Note: we don't set STS because localhost is not served over TLS.
Fixes webcompat#1328.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@miketaylr miketaylr

Labels
type: security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@miketaylr