Implement Security-Related Headers
What is/are the relevant URL(s)
Entire site is impacted, but potentially the most vulnerable are those where we collect form submissions like sales inquiries: https://about.gitlab.com/sales/
Briefly describe the bug
More details available in this comment: gitlab-org/gitlab-pages#28 (comment 797735302)
However, I think what is even more pressing is that we can't add even the most basic security headers on our own static sites (
docs.gitlab.com
,about.gitlab.com
, etc). For example, by not settingx-frame-options
we expose existing or potential customers to click jacking attacks. Using this technique, a malicious third-party could potentially capture form submission data on things like sales inquiries.We also don't set
content-security-policy
, which is potentially problematic given how many non-technical approvers we have for handbook MRs. These team members might not understand the privacy and security implications of embedding third-party assets/resources.
To summarize, we should add security-related HTTP headers on our static sites to be more inline with what we do on gitlab.com
. Most notably, this would include:
content-security-policy
expect-ct
referrer-policy
report-to
strict-transport-security
upgrade-insecure-requests
x-content-type-options
x-download-options
x-frame-options
x-permitted-cross-domain-policies
x-xss-protection
Doing this in the context of Pages would be blocked by gitlab-org/gitlab-pages#28 (closed). Perhaps we can implement this in Cloudflare as a stop-gap solution for now?
/cc @gl-website