Improve the security via HTTP headers
We're currently missing a CSP policy to help preventing the loading of external resources such as fonts, javascript or images. We could also prevent Iframe loading on all pages (except embeds) using X-Frame-Options
.
My initial attempts at a generating a CSP policy yield this: default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:
With this policy, the app loads without any CSP warning (at least during my tests). The unsafe-unline
and unsafe-eval
bits could possibly removed if we added the CSP headers at the Python level (appending a nonce=
to the stylesheets and javascripts files. However, this would require a bit more work.
We also might want to set the X-XSS-Protection
, X-Content-Type-Options
and Referrer-Policy
headers too.