influxdb icon indicating copy to clipboard operation
influxdb copied to clipboard

Published 20 hours ago verified publisher icon influxdata

fix: add sec headers

Open 121watts opened this issue 4 years ago • 2 comments

Closes idpe#7901

121watts avatar Jul 29 '20 15:07 121watts

@russorat i clicked the link in that ticket and read over the recommendation. where is this rec coming from? it seems a little arbitrary and possibly unrelated to our server. i just want to make sure we're configuring things with intent rather than copy/pasting or cargo culting.

hoorayimhelping avatar Jul 29 '20 16:07 hoorayimhelping

This is pretty old and the code it is changing has moved around quite a bit, but having better security headers generally seems like a good idea.

@jdstrand - can you weigh in on this change? Basically we'd be adding the following headers to requests for static content from OSS servers:

w.Header().Add("X-Frame-Options", "SAMEORIGIN")
w.Header().Add("X-XSS-Protection", "1; mode=block")
w.Header().Add("X-Content-Type-Options", "nosniff")
w.Header().Add("Content-Security-Policy", "script-src 'self'; object-src 'self'")

williamhbaker avatar Nov 12 '21 19:11 williamhbaker