Gatsby: Docs: Create new doc on security

Hey @marcysutton, as soon as I've PR'd #14564 I can start working on this one! I recently went through and made sure to patch up my own blog with Mozilla Observatory and the blog post referenced 👆🏽 was really helpful - I think this would be a great guide to work on 🚀

That's fantastic, @dyyyl. We look forward to seeing what you come up with!

Sorry, wrong button! I did not mean to close this.

@dyyyl how's it going with the security guide?

Hey @marcysutton, so sorry got super caught up. Starting to make more progress now, should have a PR ready early next week.

Any news @dyyyl? I was on vacation for a while, so I wanted to check up on it.

Hey @dyyyl! Any update? If life has gotten busy, we'd be happy to take this on or let another contributor pick it up.

In the interest of moving things along, I'm going to unassign this one and open it up to the community. @dyyyl if you still want to contribute a PR, we'd love to have it!

Hey @marcysutton I'd be happy to try and draft something up and see what people think? Based on the in-depth article posted, this page would provide devs with ways to easily apply the concepts explained in the article.

Some concepts I see as important (I'm open to suggestions from others):

• SSL
• Keeping Secrets Secret (ENV, .gitignore, use of proper public external api tokens on a client-side app)
• Keeping infrastructure secure (this is super specific to what you use to host. AWS comes to my mind.)
• General Client-side javascript best practices.
• Updating of dependencies - talk about cool features like github's free dependency vulnerability checker.

This is what comes to my mind initially but I am open to others opinions.

@jjroush that sounds great, I'd say go for it! Your thinking sounds very aligned with what is needed for this doc, especially keeping secrets secret since that has come up a few times recently in sourcing recipes.

Ahh, @jjroush thanks so much for taking this over. Other things you may want to cover are tools like Mozilla Observatory and how to properly set Content Security Policy headers!

More ideas for security

• Plugin & dependency trust, evaluating the quality of npm packages.
• XSS & reflected XSS. How to handle non-trusted data sources. What does React protect from by default? What is still dangerous?
• Use managed services such as Netlify or CloudFront/S3 instead of self-hosted servers.

@dyyyl Mozilla Observatory is an awesome tool... so many useful headers!

Hey @jjroush, how's it going on this issue?

@marcysutton I'll do my best to get a PR from my fork up in a day or so. I know the issue talked about putting this under the Improving Performance but it may be better suited in the security section of the conceptual guides. You may have a better idea after I get the PR up.

Hey @jjroush, just checking in on this issue. Is there a PR here that hasn't been linked? Happy to make that connection if needed.

Hey folks, I wrote a blog post when I first set my Gatsby site up that covered the security stuff I did.

https://tempered.works/posts/setting-up-tempered-dot-works-with-gatsbyjs-and-netlify#what-about-security

Happy to use an updated version of that content plus what's in this thread to get you a security page up and running. I'll aim to have you a PR this week unless someone else jumps in.

@marcysutton I am interested to take it in.

@brabster are you still interested in working on this?

@brabster are you still interested in working on this?

@laurieontech Should I close my PR then?

@brabster are you still interested in working on this?

Apologies, got snowed under with work etc. pretty much as I offered to help!

Happy to contribute to @kushthedude 's PR if I can find anything to add, looks like a lot of info there! Looks like a substantial piece of work!

@kushthedude Not at all! Just wanted to follow up with @brabster to see if they had anything in the works we'd need to consider with your PR.

Thanks.

On Tue, 26 Nov, 2019, 22:13 LB, notifications@github.com wrote:

@kushthedude https://github.com/kushthedude Not at all! Just wanted to
follow up with @brabster https://github.com/brabster to see if they had
anything in the works we'd need to consider with your PR.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/gatsbyjs/gatsby/issues/13305?email_source=notifications&email_token=AKQMTLRA4T7AK53UDKFT5P3QVVG4TA5CNFSM4HFLVWVKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEFGVNRA#issuecomment-558716612,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AKQMTLXFHRT3KHMXC4OSLYTQVVG4TANCNFSM4HFLVWVA
.

This issue is still open, and it's important to reiterate that it shouldn't be a straight copy of @moonmeister's blog post. He had some good advice in https://github.com/gatsbyjs/gatsby/pull/19778#issuecomment-559331816 (a PR that was closed for not meeting Gatsby's Code of Conduct and working standards):

start from the beginning, writing your own content or at least organizing and collating content. If you want to quote me directly do so, if you want to pull ideas from my work or others that is fine. But just like I did in my post, you need to use footnotes or inline references to give credit to the original authors.

Hi guys. This issue was staled for a few months and I decided to solve it. Feedbacks appreciated!