akka-http icon indicating copy to clipboard operation
akka-http copied to clipboard
verified publisher icon akka

Add HTTP security headers

Open akka-ci opened this issue 9 years ago • 4 comments

Issue by pawelprazak Monday Apr 18, 2016 at 14:58 GMT Originally opened as https://github.com/akka/akka/issues/20357

OWASP lists the most common security related headers:

  • X-Frame-Options
  • X-Content-Type-Options
  • X-XSS-Protection
  • Content-Security-Policy
  • Public-Key-Pins
  • Strict-Transport-Security

Do you plan to add them, or is it out of scope?

If I would to make a pull request, is this the right place to start:

  • akka.http.scaladsl.model.headers
  • akka.http.javadsl.model.headers
  • akka.http.impl.model.parser

akka-ci avatar Sep 08 '16 18:09 akka-ci

Comment by ktoso Monday Apr 18, 2016 at 15:04 GMT

Adding such is a good idea, however they should be backed by a stable RFC (not early draft) as our module needs to guarantee binary compatibility so we don't want to lock a type with a wrong signature. Please have a look at the headers and feel free to open up a PR with specific ones so we can pull them in case-by-case.

Yes, that's the right spot for them.

Another thing to consider is if the headers need to change server behaviour in any way or not.

akka-ci avatar Sep 08 '16 18:09 akka-ci

Comment by 2beaucoup Monday Apr 18, 2016 at 15:05 GMT

Yes. (+ akka.http.impl.model.parser)

akka-ci avatar Sep 08 '16 18:09 akka-ci

Comment by pawelprazak Monday Apr 18, 2016 at 15:32 GMT

OK, so as far as I understand non of the above qualifies as stable RFC, therefore add them would jeopardize binary compatibility.

akka-ci avatar Sep 08 '16 18:09 akka-ci

Hello,

Just for information, the referring page https://www.owasp.org/index.php/List_of_useful_HTTP_headers is currently broken.

I have proposed to the OWASP foundation to make it refer to the OWASP Secure Headers Project as this project focus on this topic.

righettod avatar Apr 12 '25 17:04 righettod