Generator-jhipster: Fix Security Headers so we get an A

Created on 31 Oct 2017 · 2Comments · Source: jhipster/generator-jhipster

Overview of the issue

If I run securityheaders.io on 21-Points Health, it gets a C.

Motivation for or Use Case

Better security.

Reproduce the error

https://securityheaders.io/?q=www.21-points.com&followRedirects=on

Related issues

Suggest a Fix

Add Missing Headers: Content-Security-Policy, X-Frame-Options, Referrer-Policy

JHipster Version(s)

[email protected] /Users/mraible/dev/21-points
└── [email protected]

##### **JHipster configuration, a `.yo-rc.json` file generated in the root folder**

.yo-rc.json file

{
  "generator-jhipster": {
    "promptValues": {
      "packageName": "org.jhipster.health",
      "nativeLanguage": "en"
    },
    "jhipsterVersion": "4.6.2",
    "baseName": "TwentyOnePoints",
    "packageName": "org.jhipster.health",
    "packageFolder": "org/jhipster/health",
    "serverPort": "8080",
    "authenticationType": "jwt",
    "hibernateCache": "ehcache",
    "clusteredHttpSession": false,
    "websocket": false,
    "databaseType": "sql",
    "devDatabaseType": "h2Disk",
    "prodDatabaseType": "postgresql",
    "searchEngine": "elasticsearch",
    "messageBroker": false,
    "serviceDiscoveryType": false,
    "buildTool": "gradle",
    "enableSocialSignIn": false,
    "jwtSecretKey": "replaced-by-jhipster-info",
    "clientFramework": "angularX",
    "useSass": true,
    "clientPackageManager": "yarn",
    "applicationType": "monolith",
    "testFrameworks": [
      "gatling",
      "protractor"
    ],
    "jhiPrefix": "jhi",
    "enableTranslation": true,
    "nativeLanguage": "en",
    "languages": [
      "en",
      "fr"
    ],
    "herokuAppName": "health-by-points"
  }
}

JDL for the Entity configuration(s) `entityName.json` files generated in the `.jhipster` directory

JDL entity definitions

entity BloodPressure (blood_pressure) {
  timestamp ZonedDateTime required,
  systolic Integer required,
  diastolic Integer required
}
entity Weight (weight) {
  timestamp ZonedDateTime required,
  weight Double required
}
entity Points (points) {
  date LocalDate required,
  exercise Integer,
  meals Integer,
  alcohol Integer,
  notes String maxlength(140)
}
entity Preferences (preferences) {
  weekly_goal Integer required min(10) max(21),
  weight_units Units required
}

enum Units {
  kg,
  lb
}

relationship OneToOne {
  Preferences{user(login)} to User
}
relationship ManyToOne {
  BloodPressure{user(login)} to User,
  Weight{user(login)} to User,
  Points{user(login)} to User
}

paginate BloodPressure with infinite-scroll
paginate Weight with infinite-scroll
paginate Points with pagination

Environment and Tools

java version "1.8.0_144"
Java(TM) SE Runtime Environment (build 1.8.0_144-b01)
Java HotSpot(TM) 64-Bit Server VM (build 25.144-b01, mixed mode)

git version 2.14.1

node: v6.11.0

npm: 3.10.10

bower: 1.8.2

gulp:
[08:57:52] CLI version 3.9.1

yeoman: 2.0.0

yarn: 1.2.1

Docker version 17.09.0-ce, build afdb6d4

docker-compose version 1.16.1, build 6d1ac21

area help wanted

Source

mraible

Most helpful comment

The latest jhipster get a B
https://securityheaders.io/?q=https://api.aihello.com&followRedirects=on

Agreed that we need to add the requested headers to bring it to A but making changes to the requested headers would be a breaking change for sites like mine which has cross origin requests and multiple content source.

ganeshkrishnan1 on 23 Nov 2017

👍2

All 2 comments

The latest jhipster get a B
https://securityheaders.io/?q=https://api.aihello.com&followRedirects=on

ganeshkrishnan1 on 23 Nov 2017

👍2

Yes the B is already good, and:

https://scotthelme.co.uk/content-security-policy-an-introduction/ is troublesome for us, as we can't know what people will do with their code (so it's hard to whitelist, and people will have lots of non-working stuff)
https://scotthelme.co.uk/a-new-security-header-referrer-policy/ I totally agree with the issue here, then as a website owner I like to have the referer - I don't find it very nice to remove it, most people won't have any trouble

Anyway I'm closing this as a "B" is already OK, and we had no contribution on this for more than 1 month. But if anyone wants to improve this, feel free to do PR directly.