expressjs.com icon indicating copy to clipboard operation
expressjs.com copied to clipboard
verified publisher icon expressjs

Review current HTTP Headers, DNS, etc...

Open UlisesGascon opened this issue 6 months ago • 2 comments

So far seems like we can invest some time to improve several things:

  • The HTTP headers in the website and discuss if we want to apply headers like: Content Security Policy, Strict Transport Policy, X-Content-Type-Options, X-Frame-Options, X-XSS-Protection...
  • CA Authorization in the TLS layer
  • Enable HSTS
  • Add a Security.Txtfile pointing to the current project security policy?

I used Web Check to do a fast review, so this is not yet an exhaustive list

UlisesGascon avatar Jul 16 '25 08:07 UlisesGascon

  • Enable HSTS:

While transferring the DNS to a Cloudflare account where both the TC and the foundation could have access in https://github.com/expressjs/expressjs.com/issues/955, it wasn't activated. Maybe @wesleytodd or @expressjs/docs-captains know why it wasn't activated? I assume it's because it's not strictly necessary, but it would be a nice plus to have it.

  • Security.txt: I think this is a good thing to have. There are no side effects to adding it. I'm going to open a PR to add it (ref: https://securitytxt.org/).

  • Robot.txt: Should we add it? Does it make any difference having it or not? Either way, if it's added, the value would be User-Agent: *, and we don’t want Google to stop crawling our pages.

  • HTTP headers: The following headers are the ones recommended by Cloudflare when I ran the analysis with https://radar.cloudflare.com/scan, none of them have a value at the moment

    • Strict-Transport-Security: This is the HSTS, see the comment above.

    • X-Frame-Options: This should be set to sameorigin. It's not like we're going to render our own page within another page of ours, but if that case ever comes up, we would need to change this header anyway. So allowing it from the same origin should be fine. The other option would be deny. Either option is fine with me, though I prefer sameorigin.

    • X-Content-Type-Options: Should we set it to nosniff? I don't think so, we should leave this value as it is.

    • Content-Security-Policy: Should we have it? I don't know.

    • Referrer-Policy: We should leave it blank.

    • Clear-Site-Data: We should leave it blank, this could affect the browser cache, which we don't want

    • X-Permitted-Cross-Domain-Policies: Adobe Flash, it's been a long time since i heard that name. Does anyone even use it nowadays? Well, this header affects resource access for it. Should we set it to none? https://owasp.org/www-project-secure-headers/index.html#x-permitted-cross-domain-policies

    • Permissions-Policy: This is experimental and we shouldn’t use it.

    • Cross-Origin-Embedder-Policy: We should leave this as it is, blank, it affects CORS

    • Cross-Origin-Opener-Policy: We should leave this as it is, blank, it affects CORS

    • Cross-Origin-Resource-Policy: We should leave this as it is, blank, it affects CORS

    • X-XSS-Protection: Deprecated and no longer used by browsers. Cloudflare also marks it as deprecated

    • Feature-Policy: This has been deprecated and has now been replaced by Permissions-Policy (which is still experimental), so we shouldn’t use it yet. :) https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy

    • Expect-CT: This is deprecated and not recommended for use, https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Expect-CT

    • Public-Key-Pins: This is deprecated and not recommended for use, https://owasp.org/www-project-secure-headers/index.html#public-key-pins9

  • DNS Security Extensions (DNSSEC) (https://www.cloudflare.com/learning/dns/dnssec/how-dnssec-works/): This should protect our DNS, in my opinion, it should be enabled. I don’t think there are any side effects other than protecting our DNS

  • CA Authorization in the TLS layer: This only affects us if the CA is not in a trusted list. We should add it, although I see this isn’t present in other places like Node.js either.

cc: @expressjs/security-wg so they can review it

bjohansebas avatar Jul 16 '25 16:07 bjohansebas

  • Robot.txt: Should we add it? Does it make any difference having it or not? Either way, if it's added, the value would be User-Agent: *, and we don’t want Google to stop crawling our pages.

We can add more values for sitemap url and disallow some LLM bots if we want.

  • Content-Security-Policy: Should we have it? I don't know.

We should have it. I prefer to set allow source for script and CSS files.

  • Referrer-Policy: We should leave it blank.

We should not leave it blank but if no policy is specified then default policy applied.

  • X-Content-Type-Options: Should we set it to nosniff? I don't think so, we should leave this value as it is.

+1

ShubhamOulkar avatar Jul 17 '25 04:07 ShubhamOulkar