Add CSP & Cache Control headers #2478
Conversation
|
| [[headers]] | ||
| for = "/*" | ||
| [headers.values] | ||
| Content-Security-Policy = "default-src https:; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data: blob:" |
There was a problem hiding this comment.
- Shouldn't we use
script-src 'self'? The application shouldn't be loading remote scripts - Same for styles
- Images may come from auth providers, so we need wider permissions there
There was a problem hiding this comment.
script-src are inline and we have to calculate nonce of them, which can be problematic for developers. Sometimes we use open source libraries. But defailt-src is https which gets applied to all.
netlify.toml
Outdated
| Permissions-Policy = "geolocation=(),midi=(),sync-xhr=(self),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()" | ||
| Referrer-Policy = "no-referrer" | ||
| X-Frame-Options = "SAMEORIGIN" | ||
| X-Xss-Protection = "1; mode=block" |
There was a problem hiding this comment.
Looks like this has been deprecated: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
There was a problem hiding this comment.
There was a problem hiding this comment.
https://securityheaders.com/?q=ui.rilldata.io&followRedirects=on this doesn't require this so we can remove it.
netlify.toml
Outdated
| [[headers]] | ||
| for = "/-/*" | ||
| [headers.values] | ||
| cache-control = ''' | ||
| max-age=0, | ||
| no-cache, | ||
| no-store, | ||
| must-revalidate''' |
There was a problem hiding this comment.
I don't think this is needed. The application is a SPA, so it serves static content on all routes. Any dynamic parameters in the query string will only be consumed client-side, not rendered in the content (so e.g. confirmation codes will not be cached).
There was a problem hiding this comment.
ok, we can remove this as its not working as expected.
* Add CSP & Cache Control headers
Please go the the
Previewtab and select the appropriate sub-template: