Add some more headers
Issue #11
new
Probably want to set a few more headers by default to stop various attacks
Comments (2)
-
reporter -
reporter We possibly want to be able to determine if we’re running in a hardened configuration, which may well be related to #9
- Log in to comment
The X-Frame-Options or Content-Security-Policy (with the 'frame-ancestors' directive) HTTP header should be returned within all of the application’s server responses. This prevents the page's content from being rendered by another site when using the frame or iframe HTML tags.
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
https://en.wikipedia.org/wiki/Clickjacking
The following configuration should be set for all responses:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
HTTP Strict Transport Security (HSTS) can be enabled by adding an HTTP response header with the name ‘Strict-Transport-Security’ and the value ‘max-age=expireTime’. ExpireTime is the time in seconds that browsers should remember that the site should only be accessed using HTTPS.
https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html