Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security headers #80

Merged
merged 2 commits into from
Jan 11, 2025
Merged

Security headers #80

merged 2 commits into from
Jan 11, 2025

Conversation

cgzones
Copy link
Contributor

@cgzones cgzones commented Nov 12, 2024

Modern browser support security headers, in particular Content Security
Policy (CSP)(https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP).
These can help mitigating XSS vulnerabilities, in the case of pastes by
disallowing inline styles and scripts.

Move all current inline styles into the global style.css, and refactor
all inline javascript into separate asset files.

matze
matze requested changes Dec 23, 2024
View reviewed changes
src/main.rs Outdated Show resolved Hide resolved
@matze
Copy link
Owner

matze commented Dec 23, 2024

Could you either rename the PR title or split it into multiple PRs? Some commits are not necessarily related to security headers.

@cgzones cgzones mentioned this pull request Jan 7, 2025
Merged
@cgzones cgzones force-pushed the security_headers branch 2 times, most recently from 99a4979 to 9d00120 Compare January 7, 2025 18:40
@cgzones
Copy link
Contributor Author

cgzones commented Jan 7, 2025

The refactoring in the first commit is necessary to avoid the unsafe-inline exemption for scripts, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_inline_script

@cgzones
Avoid inline styles and scripts
921324e 
Modern browser support security headers, in particular Content Security
Policy (CSP)(https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP).
These can help mitigating XSS vulnerabilities, in the case of pastes by
disallowing inline styles and scripts.

Move all current inline styles into the global style.css, and refactor
all inline javascript into separate asset files.
@cgzones
Add security headers
a705a4a 
Set HTTP headers declaring appropriate security headers.
@matze matze merged commit 662ce5a into matze:master Jan 11, 2025
2 checks passed
@cgzones cgzones deleted the security_headers branch January 11, 2025 21:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matze matze matze approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cgzones @matze