• intr0 🏴 @intr0 ·

    NOTE:

    • Cross-Origin-Embedder-Policy has only one possible value: 'require-corp'.
    • Cross-Origin-Resource-Policy set with a value of 'same-origin' is more secure than using 'same-site' due to the technical meanings of origin vs site. See Consider deploying Cross-Origin Resource Policy for details.
    • Cross-Origin-Opener-Policy set with the 'same-origin' is a safe, locked down policy. See Making your website "cross-origin isolated" using COOP and COEP for details.
    • The Content-Security-Policy directive require-trusted-types-for 'script' prevents DOM injection sinks. However it is a relatively new CSP directive that is not fully supported by all browsers. FireFox will, e,g., mark it as 'unknown' but this does not prevent its use. I presume Chrome recognizes it as it's a directive stated by Google on https://csp-evaluator.withgoogle.com/ as both recognized and suggested for use as a recommended security measure.
    • The Content-Security-Policy directive 'upgrade-insecure-requests' is effectively a noop when block-all-mixed-content is set. However, I still use both.
    • One may set the HTTP header Strict-Transport-Security to the current recommended value of two years instead of one year, which is only what the CloudFlare Dash allows by setting a value of max-age=63072000; includeSubDomains; preload using CloudFlare Workers as is shown above.
    • There are optional headers that will not affect a site's security per se but do add privacy enhancements depending on one's site's/application's needs:
      1. Clear-Site-Data (which also has the benefit of cache-busting if one needs a simple way to force browsers/user-agents to clear their cache when one's site loads).
      2. X-DNS-Prefetch-Control set to off is a good header to use when you don't want to leak information to sites linked-to on one's own site. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control.
    • Note X-Frame-Options header has been obsoleted by the frame-ancestors directive from Content-Security-Policy However, considering the fact that a small minority of sites employ CSP whatsoever, and that only a small minority of those utilize frame-ancestors none which would properly protect against clickjacking attacks, I still employ X-Frame-Options DENY for sake of completeness / defense in depth / to support older UAs such as Internet Explorer and early releases of FireFox, Chromium, Safari, etc.
    Edited by intr0
  • intr0 🏴 @intr0 ·

    EDIT:

    X-Frame-Options is unnecessary with a strong CSP (using frame-ancestors 'deny'); X-XSS-Protection should be set to 0; Set-Cookie isn't necessary as Cloudflare is no longer setting their own cookie;

0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment