Project

General

Profile

Feature #1011

Updated by Alexander Watzinger over 5 years ago

To provide additional security we tested OpenAtlas at Mozilla and began implementing tried to implement the suggestions: https://observatory.mozilla.org/analyze/demo-dev.openatlas.eu 

 In application: 

 * Using secure cookies: https://infosec.mozilla.org/guidelines/web_security#cookies 
 * Setting SESSION_COOKIE_SAMESITE 

 Tested and added to install notes: 

 * HTTP Strict Transport Security https://infosec.mozilla.org/guidelines/web_security#http-strict-transport-security 
 * X-Content-Type-Options https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options 
 * X-Frame-Options https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options 
 * X-XSS-Protection https://infosec.mozilla.org/guidelines/web_security#x-xss-protection 

 * SESSION_COOKIE_SAMESITE 
 * REMEMBER_COOKIE_SECURE 

 Documented how to activated if using HTTPS only: 

 * SESSION_COOKIE_SECURE: https://infosec.mozilla.org/guidelines/web_security#cookies 

Back