From 11180c261aaeafd34dbd7e41afdc1f0dc887cad6 Mon Sep 17 00:00:00 2001 From: WardPearce Date: Tue, 11 Jul 2023 04:33:40 +1200 Subject: [PATCH 1/2] Added security headers --- README.md | 10 +++++++++- frontend/vercel.json | 34 +++++++++++++++++++++++++++++++++- 2 files changed, 42 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index e4860683..2cc7dc2e 100644 --- a/README.md +++ b/README.md @@ -85,7 +85,6 @@ Paaster uses XChaCha20-Poly1305 encryption, which is implemented using the [libs - Paaster will never have opt-in / opt-out encryption, encryption will always be present. # Setup - ## Production with Docker NOTE: Latest MongoDB requires CPU with AVX support. If you're using virtual CPU (e.g. `kvm64`) it will not work. @@ -108,6 +107,15 @@ To fix that, either downgrade MongoDB to 4.x, or adjust your VM CPU configuratio NOTE: the self-hosted version uses a temporary container (`paaster-minio-init`) to create initial bucket in MinIO container and configure it for public access. +### Recommended headers for frontend +**Disable automatically via Vercel** + +- `Strict-Transport-Security: max-age=31536000` +- `X-XSS-Protection: 1; mode=block` +- `X-Frame-Options: DENY` +- `Content-Security-Policy: default-src 'self'` +- `Feature-Policy: microphone 'none'; camera 'none'; geolocation 'none'; payment 'none'` + ### Vercel Paaster's frontend is also configured to work with [Vercel](https://vercel.com), which offers enhanced security through server separation and improved performance. diff --git a/frontend/vercel.json b/frontend/vercel.json index 945e73b8..1f56b9c0 100644 --- a/frontend/vercel.json +++ b/frontend/vercel.json @@ -1,3 +1,35 @@ { - "rewrites": [{ "source": "/(.*)", "destination": "/" }] + "headers": [ + { + "source": "/(.*)", + "headers": [ + { + "key": "Strict-Transport-Security", + "value": "max-age=31536000;" + }, + { + "key": "X-XSS-Protection", + "value": "1; mode=block" + }, + { + "key": "X-Frame-Options", + "value": "DENY" + }, + { + "key": "Content-Security-Policy", + "value": "default-src 'self'" + }, + { + "key": "Feature-Policy", + "value": "microphone 'none'; camera 'none'; geolocation 'none'; payment 'none'" + } + ] + } + ], + "rewrites": [ + { + "source": "/(.*)", + "destination": "/" + } + ] } \ No newline at end of file From 0b0e436e845be8733fb9a1f0014af5a878a8056c Mon Sep 17 00:00:00 2001 From: WardPearce Date: Tue, 11 Jul 2023 04:34:21 +1200 Subject: [PATCH 2/2] Fixed missing end character --- README.md | 2 +- frontend/vercel.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 2cc7dc2e..f955f9dc 100644 --- a/README.md +++ b/README.md @@ -114,7 +114,7 @@ in MinIO container and configure it for public access. - `X-XSS-Protection: 1; mode=block` - `X-Frame-Options: DENY` - `Content-Security-Policy: default-src 'self'` -- `Feature-Policy: microphone 'none'; camera 'none'; geolocation 'none'; payment 'none'` +- `Feature-Policy: microphone 'none'; camera 'none'; geolocation 'none'; payment 'none';` ### Vercel diff --git a/frontend/vercel.json b/frontend/vercel.json index 1f56b9c0..31c08ff9 100644 --- a/frontend/vercel.json +++ b/frontend/vercel.json @@ -21,7 +21,7 @@ }, { "key": "Feature-Policy", - "value": "microphone 'none'; camera 'none'; geolocation 'none'; payment 'none'" + "value": "microphone 'none'; camera 'none'; geolocation 'none'; payment 'none';" } ] }