Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE] hardened security on the 401 pages #1187

Open
1 task done
sbe-arg opened this issue May 16, 2024 · 3 comments
Open
1 task done

[FEATURE] hardened security on the 401 pages #1187

sbe-arg opened this issue May 16, 2024 · 3 comments
Assignees
@TheophileDiot
Labels
enhancement New feature or request

Comments

@sbe-arg
Copy link

sbe-arg commented May 16, 2024
edited

What's needed and why?

When you have a website that shows the 401 page intentionally at root /

Mozilla observatory reports the domain as D

image
image
image
image

Implementations ideas (optional)

No response

Code of Conduct

  • I agree to follow this project's Code of Conduct
@sbe-arg sbe-arg added the enhancement New feature or request label May 16, 2024
@TheophileDiot
Copy link
Member

Hi @sbe-arg, thank you for opening this feature request. Did you activated the CORS in the settings by any chance ?
I'll have a look for an hardened CSP on error pages.

@TheophileDiot TheophileDiot self-assigned this May 17, 2024
@sbe-arg
Copy link
Author

sbe-arg commented May 17, 2024

I'm running cors with the default settings have not made any cors changes.

TheophileDiot added a commit that referenced this issue May 21, 2024
@TheophileDiot
[#1187] Update error page rendering to include Content-Security-Polic…
b42cdf9 
…y headers and nonces for a better security
@TheophileDiot
Copy link
Member

TheophileDiot commented May 21, 2024
edited

I added the CSP header for the error pages, thank you again for this feature idea.
For the CORS, this is very weird if you have the default values it shouldn't accept the requests, i'll have a look into it and let you know !

PS: I just tried it on one of our website and the CORS test passes on the Observatory 🤔

TheophileDiot added a commit that referenced this issue May 21, 2024
@TheophileDiot
[#1187] Update default server page and loading page to add the CSP he…
0c8cba4 
…ader for an hardened security
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@TheophileDiot TheophileDiot

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sbe-arg @TheophileDiot