Possibility to improve security headers
Hi, Looking for ways to improve the security of my Funkwhale instance, I analyzed it on https://observatory.mozilla.org/.
I was sad to obtain the worst score of F
So I checked for open.audio, and observed the same issues & score: https://observatory.mozilla.org/analyze/open.audio
CORS
Why are the CORS headers open to everyone? Is it for embedding playlists and such on other webpages? Or is it necessary for federation to work? I guess not, as federation works server-side, that can ignore CORS headers.
Maybe opening the CORS headers should be an opt-in.
I'd be glad to contribute on the documentation to set the CORS headers according to the administrator's needs, but I really don't know if they need to be open. If they don't, they most likely should be set by the Funkwhale API itself.
Session Cookies
Session cookies (csrftoken
& sessionid
) also have parameter issues:
- They're not marked as
Secure
, which force the Cookies to be served over HTTPS. - They're not marked
HttpOnly
, which forbid JS to read them. - The
SameSite
parameter is set toLax
(and not toStrict
), which, again, may be related to embedding or federation.
I successfully marked the Cookies as Secure
and HttpOnly
whith this nginx directive and didn't observe any regression:
proxy_cookie_path / "/; Secure; SameSite=strict";