Hi, INFRA team have suggested that we discuss this with the Security team.
The idea is to add some headers to our HTTP responses for the static content on the POI web site. I have the details in: https://issues.apache.org/jira/browse/INFRA-25358 I think if we used POI and maybe a few other ASF sites to experiment then we might then be able to look into rolling out a basic set of security headers on all ASF sites. These are pretty low risk from my experience. Strict-Transport-Security: max-age=31536000 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Referrer-Policy: origin-when-cross-origin Arnout Engelen has suggested also: Content-Security-Policy: default-src 'self' data: 'unsafe-inline' https://www.apachecon.com/ https://analytics.apache.org/; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://analytics.apache.org/; style-src 'self' 'unsafe-inline'; frame-ancestors 'none'; Permissions-Policy is another header that we could look at. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy Maybe a value like this to restrict their use (ie empty setting means no permissions): Permissions-Policy: microphone=(), geolocation=() There are also CORS and related headers: https://scotthelme.co.uk/coop-and-coep/ The 2 questions are basically: * what is a good set of security headers for POI site? * would there be a good set that we can apply to all ASF sites? - and if so, would there be a way to allow some ASF projects to apply slightly different headers. Thanks, PJ --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
