takahe

takahe copied to clipboard

Currently, I inject additional security headers with nginx. I'm really fine with it, since they don't apply, when I call the Docker image by itself, what makes debugging way easier. But the normal folk would just ignore it, even if they would really enhance security.

Currently I have:

    add_header 'Content-Security-Policy' "default-src 'none'; connect-src 'self' *.bka.li; font-src 'self'; img-src *; script-src 'self' 'unsafe-inline'; object-src 'self'; style-src 'self' 'unsafe-inline'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests;";
    add_header 'X-Robots-Tag' "index, follow, noimageindex, notranslate, noarchive";
    add_header 'Strict-Transport-Security'  'max-age=63072000; includeSubDomains; preload';
    add_header 'X-XSS-Protection' '1; mode=block';
    add_header 'Permissions-Policy' 'geolocation=(), microphone=()';
    add_header 'Access-Control-Allow-Origin' '*';

Sadly, the unsafe-inline is still needed, like for the highlight color, but they don't hit the score from most security tests that much.
Maybe one can send them with the nginx, which is provided with the docker file. Those, with an own nginx, like me, still directly go to port 8001 instead 8000, but others would be happy with this additional security options.

The X-Robots-Tag is also available as meta tag, which could be injected via nginx too:

    sub_filter '</head>' '<meta name="robots" content="index, follow, noimageindex, notranslate, noarchive"></head>';
    sub_filter_once on;

A few of these we should add, a few of them are something I want to leave to whatever reverse proxy someone uses to host the system.