1. Dom Davis Avatar Dom Davis
  2. utility
  3. gohttp
  4. Issues

Add some more headers

Issue #11 new
Dom Davis repo owner created an issue

Probably want to set a few more headers by default to stop various attacks

Comments (2)

  1. Dom Davis reporter

    The X-Frame-Options or Content-Security-Policy (with the 'frame-ancestors' directive) HTTP header should be returned within all of the application’s server responses. This prevents the page's content from being rendered by another site when using the frame or iframe HTML tags.

    https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
    https://en.wikipedia.org/wiki/Clickjacking

    The following configuration should be set for all responses:

    • Cache-Control: no-cache, no-store, must-revalidate.
    • Pragmano-cache

    https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control

    HTTP Strict Transport Security (HSTS) can be enabled by adding an HTTP response header with the name ‘Strict-Transport-Security’ and the value ‘max-age=expireTime’. ExpireTime is the time in seconds that browsers should remember that the site should only be accessed using HTTPS.

    https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html

  2. Dom Davis reporter

    We possibly want to be able to determine if we’re running in a hardened configuration, which may well be related to #9

  3. Log in to comment
Assignee
Type
enhancement
Priority
major
Status
new
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!