nuxt-security icon indicating copy to clipboard operation
nuxt-security copied to clipboard
verified publisher icon Baroshem

feat(core) : owasp default values

Open vejja opened this issue 1 year ago • 5 comments

Closes #232

Types of changes

  • [ ] Bug fix (a non-breaking change which fixes an issue)
  • [x] New feature (a non-breaking change which adds functionality)
  • [ ] Breaking change (fix or feature that would cause existing functionality to change)

Description

This PR updates the default configuration values of Security Headers to conform to the OWASP recommendations

See OWASP Secure Headers Project

Checklist:

  • [ ] My change requires a change to the documentation.
  • [ ] I have updated the documentation accordingly.
  • [x] I have added tests to cover my changes (if not applicable, please state why)

vejja avatar May 11 '24 07:05 vejja

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
nuxt-security ✅ Ready (Inspect) Visit Preview 💬 Add feedback May 21, 2024 9:08am

vercel[bot] avatar May 11 '24 07:05 vercel[bot]

@Baroshem could you please check the new default values ? I copied them from https://owasp.org/www-project-secure-headers/#configuration-proposal but there are 2 things you may want to verify:

  • there are other recommended headers that we do not set: shall we add them ?
  • the OWASP cheat sheets have different values : https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html

let me know what you want to do I’ll update the docs after that

vejja avatar May 11 '24 07:05 vejja

Hey there!

Sorry for no contact from my side as I was quite budy recently.

I would update every property do that we will be up to date with the current state of Owasp and I think I would go for a cheatsheet. I went with Node.js Security Cheatsheet when I was implementing other features.

Baroshem avatar May 15 '24 15:05 Baroshem

Hey there!

Sorry for no contact from my side as I was quite budy recently.

I would update every property do that we will be up to date with the current state of Owasp and I think I would go for a cheatsheet. I went with Node.js Security Cheatsheet when I was implementing other features.

Actually I compared the cheatsheet with the recommendation and they are pretty close. The only significant difference is on permissions policy, where the cheat sheet only gives an example but the Best Practice is way more strict. I'll update CSP for block-all-mixed-content and add the clearSiteData header and I think we'll be good to go.

vejja avatar May 17 '24 09:05 vejja

Awesome, thank you for looking into that!

Baroshem avatar May 17 '24 13:05 Baroshem

After in-depth review, I think it is better to not make further changes:

  • CSP block-all-mixed-content is marked as obsolete, MDN recommends not to use it. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content
  • Clear-Site-Data header clears all cookies, storage and cache. Forcibly setting this as default would result in substantial issues in the average Nuxt app. It is better to leave it up to the app owner to implement it on a case-by-case basis. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Data

I'm marking this PR as ready, let me know if good to you @Baroshem

vejja avatar May 21 '24 09:05 vejja

@vejja

Your comment is valid - let's not add these values and be up to date with MDN. Thanks for that! I will be merging this PR to the RC branch :)

Baroshem avatar May 22 '24 07:05 Baroshem