-
Notifications
You must be signed in to change notification settings - Fork 73
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a more strict default #204
Add a more strict default #204
Conversation
src/NetEscapades.AspNetCore.SecurityHeaders/HeaderPolicyCollectionExtensions.cs
Outdated
Show resolved
Hide resolved
src/NetEscapades.AspNetCore.SecurityHeaders/HeaderPolicyCollectionExtensions.cs
Show resolved
Hide resolved
src/NetEscapades.AspNetCore.SecurityHeaders/HeaderPolicyCollectionExtensions.cs
Outdated
Show resolved
Hide resolved
src/NetEscapades.AspNetCore.SecurityHeaders/HeaderPolicyCollectionExtensions.cs
Outdated
Show resolved
Hide resolved
src/NetEscapades.AspNetCore.SecurityHeaders/HeaderPolicyCollectionExtensions.cs
Outdated
Show resolved
Hide resolved
I fix the tests today |
fixed the tests |
Hey Damien, I haven't forgotten about this, I've just been mulling it over a lot and trying to understand all the implications of the various COOP, COEP, CORP headers 😅 One thing I was wondering about, is whether it's worth adding additional "default" values. e.g. the existing ones are meant to be "safe" headers that generally improve security. I feel like maybe there's for additional "collections" to serve as a basis, e.g.
It's just a vague idea though, and I'm not sure how feasible they are, as I suspect most of the time people will need to customize, which is fine, but in that case, having additional "default" values may make it more confusing to know where to start. I'm not sure, just thinking out loud really :D |
Hi @andrewlock no problem, I am thinking along these lines as well. I try to lock the each app as much as possible and so I would end up never using the defaults as each app is slightly different. If using defaults, then you have a basic security set which is a lot better than nothing but missing a few things. This would work with almost any type of APP which is the advantage. Maybe just lock down the API defaults and leave the UI defaults as it is is a type of in the middle approach. Maybe the question is who are defaults made for and then optimize for this developer type. It is good as it is as well, maybe we can just close the PR and leave the defaults. I'm thinking out loud as well :) No idea what is best, but it is not that important as we can always just create our own definitions. |
Ok, I've done some more thinking about it and a bunch more reading and playing with COOP/COEP/CORP... I think for the UI headers, the way to go is to be generally more broadly applicable. For me, that means
For the APIs I think what we already discussed makes sense, i.e.
|
@andrewlock I like the middle ground solution you suggested. Updated. Greetings Damien |
Thanks Damien, appreciate it! |
addresses #202
Not sure if I got everything right, API yes, unsure about the UI headers.
Another point, when using OIDC, the form self definition will block some flows. Maybe a documentation note about the CSP.
Greetings Damien