Skip to content

Add security headers via Cloudflare _headers file #352

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
m4cd4r4 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add security headers via Cloudflare _headers file #352

m4cd4r4 wants to merge 1 commit into from

Conversation

@m4cd4r4
Copy link

@m4cd4r4 m4cd4r4 commented Dec 13, 2025

Summary

Implements security recommendations from Webbkoll scan (issue #137):

  • HSTS: max-age=31536000; includeSubDomains; preload - Prevents SSL-stripping attacks
  • CSP: Configured to allow site resources (pal-chat.net, plausible.io, notion.so)
  • Referrer-Policy: no-referrer - Prevents leaking referrer information
  • X-Content-Type-Options: nosniff - Prevents MIME-type sniffing
  • X-Frame-Options: DENY - Prevents clickjacking
  • Permissions-Policy: Disables unused browser APIs

Key Insight

This approach uses Cloudflare Pages _headers file which deploys with the code - no Cloudflare dashboard access needed!

Test Plan

  • Deploy to preview environment
  • Test with https://webbkoll.dataskydd.net/
  • Verify chat widget (pal-chat) still works
  • Verify Plausible analytics loads
  • Check all pages render correctly
  • Verify Notion-sourced content displays

Fixes #137

@m4cd4r4
Add security headers via Cloudflare _headers file
b946f51 
Implements security recommendations from issue TechForPalestine#137:

- HSTS: max-age=31536000; includeSubDomains; preload
- CSP: Configured for site's external resources (pal-chat, plausible, notion)
- Referrer-Policy: no-referrer
- X-Content-Type-Options: nosniff
- X-Frame-Options: DENY
- Permissions-Policy: Disable unused browser APIs

This approach uses Cloudflare Pages _headers file, so no dashboard access needed.

Fixes TechForPalestine#137
@mohanadft
Copy link
Member

mohanadft commented Dec 15, 2025

@tmhall99 can you please take a look

@tmhall99 tmhall99 requested a review from Copilot December 15, 2025 12:57
@tmhall99
Copy link
Contributor

tmhall99 commented Dec 15, 2025

@tmhall99 can you please take a look

I'm concerned that the strict Content-Security-Policy may block integrations (like the ProjectHub API) and it seems overly permissive with regard to inline scripts. I requested CoPilot review.

Copilot AI reviewed Dec 16, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security patches for website

3 participants

@m4cd4r4 @mohanadft @tmhall99