Thanks Kyle! These files aren't used in practice yet, but I'll keep
these suggestions in mind.
on Sat Nov 16, 2019 at 4:11 AM, Kyle Copperfield wrote:
> - Strong defaults based on the mozilla ssl generator
You should petition nginx to use these upstream as the defaults.
> - XFO / XSS / Content-Type all common headers> - Strict cross origin referrer policy to prevent data leaks
+1
> - Strict feature policies sr.ht does not need, with omissions for> potentially used features in the future
Almost +1 here, I'm gonna drop autoplay cause sourcehut.org may use this
to demonstrate new features (with mute autoplay loop videoes) in the
future and who knows if other domains might want that.
> - DNS prefetch limitation on urls simply on the page
Can you explain this?
> - upgrade insecure requests for remote includes, which should really be> blocked by the CSP anyway.
Fair enough.
One more thing (sorry for the reply spam):
> +add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
"preload" can be dangerous if enabled on a whim:
https://hstspreload.org/#opt-in
Preload + hstspreload.org submission will make browsers *always* use
HTTPS for sr.ht + subdomains with no workaround (if cert is invalid
there won't be a "load site anyway" button in the browser UI).
In 2019 SSL certs are available for free so it's not a big problem but I
think it's good to point out the ramifications of this process: removing
HSTS preload would take months until new browser versions roll out (they
ship with HSTS preload list) so well... better to know what's going on
beforehand.
Kind regards,
Wiktor
--
https://metacode.biz/@wiktor