[Cashtab] Add useful security headers
02f1113e6304
Actions

Description

[Cashtab] Add useful security headers

Summary:
T3395

Cashtab would benefit from some more strict security headers.

Strict-Transport-Security - allows only https
X-Frame-Options "DENY" -- prevent cashtab appearing in a frame, prevent clickjacking attacks
X-Content-Type-Options -- ref https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options
Referrer-Policy -- only showthe origin, for example we don't want to pass URL referrer info if it had tx params
Permissions-Policy -- do not allow camera use from another site

Also will add a CSP header, but this one is more complicated and risks breaking things -- so should be handled separately

Test Plan:

cd web/cashtab
docker build -t cashtab_local .
docker run --rm -p 8080:80 --name cashtab cashtab_local

In another terminal,

curl -I http://localhost:8080

Confirm output includes added headers

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D15102

Details

Provenance

bytesofman	Authored on Jan 5 2024, 19:32
bytesofman	Pushed on Jan 5 2024, 21:17

Reviewer

Restricted Project

Differential Revision

D15102: [Cashtab] Add useful security headers

Parents

rABCfcc824a72963: [Chronik] Remove an unnecessary copy of CChainParams in chronik::Start

Branches

Unknown

Tags

Unknown

Event Timeline

bytesofman committed rABC02f1113e6304: [Cashtab] Add useful security headers (authored by bytesofman).Jan 5 2024, 21:17

bytesofman added an edge: D15102: [Cashtab] Add useful security headers.

Changes (1)

Path

Size

cashtab/

nginx.conf

rABC02f1113e6304

View Options