[ic] Security Concerns
Jon Jensen
jon at endpoint.com
Tue Dec 1 02:26:15 UTC 2020
On Thu, 5 Nov 2020, mihai at airdelights.com wrote:
> It was recently brought to my attention that our website may be missing
> some HTTP security headers, leading to vulnerabilities. After doing some
> research, it seemed to me that the most prevalent ones are the
> following:
>
> - X-Frame-Options
> - Content-Security-Policy
> - Strict-Transport-Security
>
> After reading about each one, they all seemed valuable in their own way.
> However, I wanted to hear some other opinions from folks using
> Interchange. Has anyone here implemented these security features?
Yes.
> If so, do you feel that they are beneficial in preventing any breaches
> to your website?
Yes.
Using X-Frame-Options and Content-Security-Policy to limit what frames and
scripts can be used on a page, where external elements can come from, etc.
is very worthwhile, but when adding them to existing sites it can take a
lot of work to ensure you don't break intended functionality.
Strict-Transport-Security is simpler, if your site is all running over
HTTPS already. Just be careful about making it apply to subdomains if
you're not certain all subdomains can be HTTPS only. One way to tread
cautiously here is to set the TTL to a few seconds, a minute at most, so
if you discover it caused problems you can remove it and users won't face
breakage for too long.
Jon
--
Jon Jensen
End Point Corporation
https://www.endpoint.com/
More information about the interchange-users
mailing list