Improve Security Headers #9549
Comments
|
Can we do much about jhipster.tech as it is hosted by github pages? Agree for our generated apps. |
|
@jhipster/developers Did we do anything about the headers for our generated apps already? |
|
For www.jhipster.tech, it is served by Github Pages so I'm not sure we can do much. However for start.jhipster.tech, it's a JHipster app so we should be setting the CSP headers to improve security. |
|
We should set all security headers by default and document them on a special page. The Spring Security docs, document them well: https://docs.spring.io/spring-security/site/docs/5.2.x/reference/html5/#default-security-headers-2 However this might impact the development experience, @mraible what do you think ? |
|
It'd be cool to write some documentation on how to get from having a C to an A. I don't care if it's Heroku or someone else, but it'd be similar to https://developer.okta.com/blog/2019/04/11/site-security-cloudflare-netlify. |
|
I will work on that. I propose to deny the page to be framed (or same origin) currently we do not send any information about that. Furthermore I would set the referrer policy to For the headers @jhipster/developers We could also set a very restrictive Finally it looks like this:
After:
|
|
We need to set both What do you think? Leave the |
by setting conten-security and feature policy and deny embedding in an iFrame closes jhipster#9549
by setting conten-security and feature policy and deny embedding in an iFrame closes jhipster#9549
by setting conten-security and feature policy and deny embedding in an iFrame closes jhipster#9549
|
With reference to https://stackoverflow.com/questions/57500340/jhipster-doesnt-open-file-uploaded/57505766#57505766 and #10227. Maybe we need to add information about adding exceptions to content security policy in our documentation? I can add this if you like. 😄 |
|
We should allow downloading uploaded files by default I would say. So we
should open a bug to track that.
…On Thu, Aug 15, 2019, 18:39 Sudharaka Palamakumbura < ***@***.***> wrote:
With reference to
https://stackoverflow.com/questions/57500340/jhipster-doesnt-open-file-uploaded/57505766#57505766
and #10227 <#10227>
Maybe we need to add information about adding exceptions to content
security headers in our documentation? I can add this if you like. 😄
—
You are receiving this because you were assigned.
Reply to this email directly, view it on GitHub
<#9549?email_source=notifications&email_token=AABRVCO4KGKFCMIUFECHNMLQEWBE5A5CNFSM4HE6ROOKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD4MKQ2Q#issuecomment-521709674>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AABRVCLOR5PO4BVZBYTV57TQEWBE5ANCNFSM4HE6ROOA>
.
|
|
@atomfrede I fully agree with you and no need to open a new bug, just re-open #10227 |
Overview of the feature request
We should improve our security headers to show we care about security.
jhipster.tech gets an F: https://securityheaders.com/?q=jhipster.tech&followRedirects=on
21-points.com gets a C: https://securityheaders.com/?q=21-points.com&followRedirects=on
In my experience with raibledesigns.com, a lot of the headers can be configured at the server level (rather than the app level), so it might just be a matter of documentation.
raibledesigns.com gets an A: https://securityheaders.com/?q=raibledesigns.com&followRedirects=on
Motivation for or Use Case
To show we care about security on the JHipster project.
Related: You can configure a Content Security Policy with Spring Security.
The text was updated successfully, but these errors were encountered: