Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add security headers #918

Open
7 of 11 tasks
travi opened this issue Feb 4, 2017 · 2 comments
Open
7 of 11 tasks

add security headers #918

travi opened this issue Feb 4, 2017 · 2 comments

Comments

@travi
Copy link
Member

travi commented Feb 4, 2017
edited
Loading

https://securityheaders.io/?q=admin.travi.org&followRedirects=on

  • Strict-Transport-Security
  • Content-Security-Policy
    • -Report-Only
    • activate
    • support webpack dev server locally
    • require-sri-for script style
  • Public-Key-Pins
  • X-Frame-Options
  • X-XSS-Protection
  • X-Content-Type-Options
  • Referrer-Policy
  • Expect-CT
@travi
Copy link
Member Author

travi commented Feb 4, 2017

https://github.com/nlf/blankie

travi added a commit that referenced this issue Feb 4, 2017
@travi
feat(security-headers): defaulted the security headers to be enabled
9b56731 
for #918
travi added a commit that referenced this issue Feb 5, 2017
@travi
WIP(csp): used blankie to set an initial CSP
a659af4 
set to report-only to work through the initial kinks for #918
travi added a commit that referenced this issue Feb 5, 2017
@travi
fix(csp): passed the nonce to the inline script for rehydrating on th…
04a49a6 
…e client

this allows the browser to match the nonce to the one in the csp definition and safely allow the
inline script to execute

for #918
travi added a commit that referenced this issue Feb 5, 2017
@travi
fix(csp): allowed loading images from self because of the favicon
5deb3f3 
for #918
travi added a commit that referenced this issue Feb 5, 2017
@travi
feat(csp): enabled the csp w/o the report-only flag
cc59824 
for #918
@travi
Copy link
Member Author

travi commented Apr 23, 2017

subresource-integrity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@travi