feat: set default HSTS and CSP headers for direct-exposure deployments (#14)#20
Conversation
#14) The previous stance of "HSTS/CSP belong on the reverse proxy" leaves self-hosted OSS deployments with no hardening when no proxy sits in front. Direct-exposure HTTPS is a supported topology, so the defaults should protect it. Add conservative defaults in securityHeaders(): - HSTS: max-age=31536000; includeSubDomains (no preload — that is a deliberate operator choice) - CSP: default-src 'none'; frame-ancestors 'none'; base-uri 'none' (no effect on JSON/SSE; bundle UI HTML is consumed via fetch+srcdoc so the response CSP does not break the iframe bridge, but does protect anyone opening that HTML directly) Operators who terminate TLS at a proxy that already emits these headers can disable them with NB_HSTS="" / NB_CSP="", or override to a stricter/looser value via env var or the middleware option. Env var takes precedence over option so ops can change the runtime policy without a code change.
mgoldsborough
force-pushed
the
fix/issue-14-default-hsts-csp
branch
from
a0c3ac0 to
e5c1bc8
Compare
|
Rebased onto current main. One adjustment from the original PR: The proxy route in main strips upstream CSP and asserts Resolution: middleware now respects route-level intent for HSTS/CSP using the same pattern as X-Frame-Options. The proxy route opts out by setting an internal Diff now touches PR #19 (the workspace generic-error PR) was also rebased — clean, no adjustments needed. |
- Strip `x-nb-skip-security-defaults` from upstream proxy responses so a bundle dev server can't disable platform HSTS/CSP for unrelated routes. - Add unit tests for the SKIP_DEFAULTS_HEADER opt-out path (HSTS/CSP skipped, header stripped from egress, other defaults still applied) and route-level HSTS/CSP override preservation. - CHANGELOG entry under Changed for the new defaults + NB_HSTS/NB_CSP override env vars.
1 participant
Summary
Test plan
Closes #14