faustjs
faustjs copied to clipboard
wpengine
Add next-secure-headers in example projects
Tasks
- [ ] I have signed a Contributor License Agreement (CLA) with WP Engine.
- [ ] If a code change, I have written testing instructions that the whole team & outside contributors can understand.
- [ ] I have written and included a comprehensive changeset to properly document the changes I've made.
Description
Adds next-secure-headers in all example projects, providing secure default header configuration across the site.
Related Issue(s):
Testing
-Build and run one of the example projects -Inspect the response headers of each page. It should have the following headers as defined in the package doc
| next-secure-headers | Helmet | Comment | |
|---|---|---|---|
| Strict-Transport-Security | forceHTTPSRedirect |
hsts |
|
| X-Frame-Options | frameGuard |
frameguard |
|
| X-Download-Options | noopen |
ieNoOpen |
|
| X-Content-Type-Options | nosniff |
noSniff |
|
| X-XSS-Protection | xssProtection |
xssFilter |
|
| Content-Security-Policy | contentSecurityPolicy |
contentSecurityPolicy |
|
| Expect-CT | expectCT |
expectCt |
|
| Referrer-Policy | referrerPolicy |
referrerPolicy |
|
| X-DNS-Prefetch-Control | - | dnsPrefetchControl |
This has privacy implications but this improves performance. |
| Feature-Policy | - | featurePolicy |
Feature Policy improves security but it is working draft yet. |
| X-Powered-By | - | hidePoweredBy |
Next.js supports to remove this header in next.config.js. |
| Related to cache | - | nocache |
As Helmet said, caching has lots of benefits. |
| X-Permitted-Cross-Domain-Policies | - | crossdomain |
Adobe Flash is one of old web technologies. |
Screenshots
Documentation Changes
Dependant PRs
⚠️ No Changeset found
Latest commit: 47a2dac58b622c4085c21ee531fa4842442af62f
Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.
This PR includes no changesets
When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types
Click here to learn what changesets are, and how to add one.
Click here if you're a maintainer who wants to add a changeset to this PR
![changeset-bot[bot] avatar](https://avatars.githubusercontent.com/in/28616?v=4 "Published by a pub.dev verified publisher"){kind=small}
📦 Next.js Bundle Analysis for @faustwp/getting-started-example
This analysis was generated by the Next.js Bundle Analysis action. 🤖
This PR introduced no changes to the JavaScript bundle! 🙌
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
I'm unable to see the new headers after checking out this branch, npm installing, and building the example projects. Tried it on examples using the pages and app router to no avail.
Here's a screenshot:
Am I missing anything?
I'm unable to see the new headers after checking out this branch, npm installing, and building the example projects. Tried it on examples using the
pagesandapprouter to no avail.Here's a screenshot:
Am I missing anything?
I've updated the config. It should work now
The next-secure-headers package hasn't been updated in 3+ years and it seems like the maintainer isn't around. Any concerns with that?
The
next-secure-headerspackage hasn't been updated in 3+ years, and it seems like the maintainer isn't around. Any concerns with that?
I don't think so since this package has no real dependencies and it's written in such a way that it returns an object that next uses for the Headers configuration.
Snyk showed no known vulnerable versions
https://security.snyk.io/package/npm/next-secure-headers
@theodesp thanks. It's not clear from the original post what exactly we should be seeing in the headers. You gave a table of values, but they're not all in the response, and the ones that are don't necessarily match the values you gave. For example, in your screenshot the value of X-Frame-Options doesn't match what's in the table. Can you clarify the expectations here?
@theodesp thanks. It's not clear from the original post what exactly we should be seeing in the headers. You gave a table of values, but they're not all in the response, and the ones that are don't necessarily match the values you gave. For example, in your screenshot the value of
X-Frame-Optionsdoesn't match what's in the table. Can you clarify the expectations here?
It should be:
| next-secure-headers | |
|---|---|
| Strict-Transport-Security | max-Age: <2 years in seconds> |
| X-Frame-Options | DENY |
| X-Download-Options | noopen |
| X-Content-Type-Options | nosniff |
| X-XSS-Protection | 0 |
| Referrer-Policy | strict-origin-when-cross-origin |
@theodesp LGTM. The only difference I see between what you provided in the table and what I see the headers is the value for X-XSS-Protection. I see a 1 for that instead of xssProtection. Looking at the MDN docs for X-XSS-Protection, it says not to use it in production. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
@theodesp LGTM. The only difference I see between what you provided in the table and what I see the headers is the value for
X-XSS-Protection. I see a1for that instead ofxssProtection. Looking at the MDN docs for X-XSS-Protection, it says not to use it in production. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
I've set this to false now
xssProtection: false
@blakewilson merging is blocked until there is approval for the "changes requested".
@theodesp I dismissed Blake's review as stale, since you addressed it. No blockers to merge if you're happy with this.