Security patches for website

[tmhall99]

These recommendations are from a web scanning tool called Webbkoll:

HTTP Strict Transport Security (HSTS) not implemented.

• Add HTTP Header: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Content Security Policy (CSP) header not implemented.

• Add HTTP Header: Content-Security-Policy: default-src 'self'

Referrer Policy set to strict-origin-when-cross-origin in Referrer-Policy HTTP header.

• Add HTTP Header: Referrer-Policy: no-referrer

Subresource Integrity (SRI) not implemented, but all external resources are loaded over HTTPS

• SRI can be used with script and link elements. To enable SRI on an element, you need to add integrity and crossorigin attributes to it.

[dirar]

• HTTP Strict Transport Security (HSTS) not implemented. <- Medium Severity
  Forces browsers to use HTTPS only, preventing SSL-stripping attacks. To fix we need to add add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; in nginx site config

• Allow loading script from same domain and exceptions: <- Best Practice Severity
  Content-Security-Policy: default-src 'self'; script-src 'self' https://exceptions.com; img-src 'self' data:; More info: Here

• Referrer Policy set to strict-origin-when-cross-origin in Referrer-Policy HTTP header. <- Information Severity
  strict-origin-when-cross-origin offers more privacy. With this policy, only the origin is sent in the Referer header of cross-origin requests. This prevents leaks of private data that may be accessible from other parts of the full URL such as the path and query string

• Subresource Integrity (SRI) <- Best Practice Severity
  Subresource Integrity (SRI) is a security feature that enables browsers to verify that resources they fetch (for example, from a CDN) are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that a fetched resource must match. We have to have the source files and provide the hash.

let's discuss what's necessary and whats not

[dirar]

Need access to Cloudflare