Feature #1011
Updated by Alexander Watzinger almost 2 years ago
To provide additional security we tested OpenAtlas at Mozilla and began implementing tried to implement the suggestions: https://observatory.mozilla.org/analyze/demo-dev.openatlas.eu
In application:
* Using secure cookies: https://infosec.mozilla.org/guidelines/web_security#cookies
* Setting SESSION_COOKIE_SAMESITE
Tested and added to install notes:
* HTTP Strict Transport Security https://infosec.mozilla.org/guidelines/web_security#http-strict-transport-security
* X-Content-Type-Options https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
* X-Frame-Options https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
* X-XSS-Protection https://infosec.mozilla.org/guidelines/web_security#x-xss-protection
* SESSION_COOKIE_SAMESITE
* REMEMBER_COOKIE_SECURE
Documented how to activated if using HTTPS only:
* SESSION_COOKIE_SECURE: https://infosec.mozilla.org/guidelines/web_security#cookies
In application:
* Using secure cookies: https://infosec.mozilla.org/guidelines/web_security#cookies
* Setting SESSION_COOKIE_SAMESITE
Tested and added to install notes:
* HTTP Strict Transport Security https://infosec.mozilla.org/guidelines/web_security#http-strict-transport-security
* X-Content-Type-Options https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
* X-Frame-Options https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
* X-XSS-Protection https://infosec.mozilla.org/guidelines/web_security#x-xss-protection
* SESSION_COOKIE_SAMESITE
* REMEMBER_COOKIE_SECURE
Documented how to activated if using HTTPS only:
* SESSION_COOKIE_SECURE: https://infosec.mozilla.org/guidelines/web_security#cookies