Implement CSPs on data.gov, catalog.data.gov, resources.data.gov #4952
Labels
compliance
Relating to security compliance or documentation
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
User Story
In order to take all measures to prevent XSS attacks, datagovteam wants to implement a Content Security Policy.
Acceptance Criteria
AND having CSPs is an accepted web best practice
WHEN a page loads
THEN a CSP is present in the header
Background
18F recommends CSPs https://guides.18f.gov/engineering/security/content-security-policy/
AND we get a ding on ScanGov score for not having one on data.gov specifically: https://scangov.org/profile/?domain=data.gov#security
Despite data.gov and resources.data.gov being static sites, it would help us maintain better "scores" to have a CSP in place.
Security Considerations (required)
Will improve security posture from data injection and XSS attacks
Sketch
meta-tagmeta-tagmeta-tagThe text was updated successfully, but these errors were encountered: