website Security patches for website

These recommendations are from a web scanning tool called Webbkoll:

HTTP Strict Transport Security (HSTS) not implemented.

Add HTTP Header: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Content Security Policy (CSP) header not implemented.

Referrer Policy set to strict-origin-when-cross-origin in Referrer-Policy HTTP header.

Subresource Integrity (SRI) not implemented, but all external resources are loaded over HTTPS

SRI can be used with script and link elements. To enable SRI on an element, you need to add integrity and crossorigin attributes to it.

May 02 '25 14:05 tmhall99

HTTP Strict Transport Security (HSTS) not implemented. <- Medium Severity Forces browsers to use HTTPS only, preventing SSL-stripping attacks. To fix we need to add add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; in nginx site config
Allow loading script from same domain and exceptions: <- Best Practice Severity Content-Security-Policy: default-src 'self'; script-src 'self' https://exceptions.com; img-src 'self' data:; More info: Here
Referrer Policy set to strict-origin-when-cross-origin in Referrer-Policy HTTP header. <- Information Severity strict-origin-when-cross-origin offers more privacy. With this policy, only the origin is sent in the Referer header of cross-origin requests. This prevents leaks of private data that may be accessible from other parts of the full URL such as the path and query string
Subresource Integrity (SRI) <- Best Practice Severity Subresource Integrity (SRI) is a security feature that enables browsers to verify that resources they fetch (for example, from a CDN) are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that a fetched resource must match. We have to have the source files and provide the hash.

let's discuss what's necessary and whats not

May 05 '25 18:05 dirar

Need access to Cloudflare

May 16 '25 14:05 dirar