Skip to content

Resolve "Improve the security via HTTP headers"

Agate requested to merge 880-header-security into develop

Closes #880 (closed)

The two first commits are not directly related, but were needed to test production-like CSP headers in development.

About the CSP

This is my first time implementing a CSP ever, so please, feel free to point out any mistake. I'd really like a review on this specific bit.

I've used https://developer.mozilla.org/fr/docs/Web/HTTP/CSP and https://csp-evaluator.withgoogle.com/ as my main resources, the proposed CSP is:

default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:

The 'unsafe-inline' value for the style-src leaves some room in case of an attack, but I lack the time to track down and remove all those inlined styles whithin the codebase (most of which are, I suspect, introduced in dependencies).

However, I've ensured we don't load JS scripts from anywhere else, and don't allow calls to eval or stuff like that.

Merge request reports