Feature #1011
Additional security features
Start date:
2019-04-07
Estimated time:
8.00 h
Description
To provide additional security we tested OpenAtlas at Mozilla and began implementing the suggestions: https://observatory.mozilla.org/analyze/demo-dev.openatlas.eu
In application:
- HTTP Strict Transport Security https://infosec.mozilla.org/guidelines/web_security#http-strict-transport-security
- X-Content-Type-Options https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
- X-Frame-Options https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
- X-XSS-Protection https://infosec.mozilla.org/guidelines/web_security#x-xss-protection
- SESSION_COOKIE_SAMESITE
- REMEMBER_COOKIE_SECURE
Documented how to activated if using HTTPS only:
- SESSION_COOKIE_SECURE: https://infosec.mozilla.org/guidelines/web_security#cookies
History
Updated by
Updated by Alexander Watzinger almost 4 years ago
- Status changed from In Progress to Closed
Only suggestion which was not implemented: Content Security Policy
This would need a complete rebuild of the application (no inline JavaScript or CSS) so we wait for the next major frontend upgrade.