feat(core): introduce strict mode
#483
Conversation
<!--- Provide a general summary of your changes in the title above --> Closes #470 ## Types of changes <!--- What types of changes does your code introduce? Put an `x` in all the boxes that apply: --> - [ ] Bug fix (a non-breaking change which fixes an issue) - [x] New feature (a non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality to change) ## Description <!--- Describe your changes in detail --> <!--- Why is this change required? What problem does it solve? --> <!--- If it resolves an open issue, please link to the issue here. For example "Resolves: #137" --> This PR adds a new `owaspDefaults` option, which can take 2 possible values: - `compatibility` (default): OWASP default settings are chosen to minimize the possibility of breaking the app. These default values are the same as in v1. - `security`: OWASP default settings are chosen to maximize security. These default values will usually require some additional fine-tuning to ensure the app will run smoothly. With `security` OWASP level, the following headers are modified: 1- `contentSecurityPolicy` blocks everything by default with `default-src: 'none'`. In addition, all `'unsafe-inline'` values are removed. 2- `crossOriginEmbedderPolicy` is set to `require-corp` 3- `strictTransportSecurity` has the `preload` flag 4- 'xFrameOptions` is set to `DENY` ## Checklist: <!--- Put an `x` in all the boxes that apply. --> <!--- If your change requires a documentation PR, please link it appropriately --> <!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! --> - [x] My change requires a change to the documentation. - [ ] I have updated the documentation accordingly. - [x] I have added tests to cover my changes (if not applicable, please state why)
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
|
Hi @Baroshem |
|
Thanks @vejja for this amazing pull request. May I recommend using option strict: booleanThat by default is set to false to be comptible and when set to true it will enable more strict options? But I do wonder, what will happen if user selects strict and then changes the values of the headers manually? |
Yes, great idea
This is fine, the manual values will override the strict defaults |
|
How about replacing |
|
Oh, I see that this was more or less @vejja's original proposal, hence I'm leaning towards that, although proper naming is the key, as usual 😅 |
|
The main question is, do we expect to have more presets? also, we could use the keyword |
Personally I would lean towards not having more presets. Maintenance is the issue of course. |
|
Ok, so let's keep it |
vejja
changed the title
vejja
changed the title
strict mode
Closes #470
Types of changes
Description
This PR adds a new
strictoption, which can take 2 possible values:false(default): default settings are chosen to minimize the possibility of breaking the app. These default values are the same as in v1.true: default settings are chosen to maximize security. These default values will usually require some additional fine-tuning to ensure the app will run smoothly.With the new
strictmode, the following headers are modified:1- contentSecurityPolicy blocks everything by default with
default-src: 'none'. In addition, all'unsafe-inline'values are removed.2- crossOriginEmbedderPolicy is set to
require-corp3- strictTransportSecurity has the
preloadflag4- xFrameOptions is set to
DENYChecklist: