Generator-jhipster: Improve Security Headers

Can we do much about jhipster.tech as it is hosted by github pages? Agree for our generated apps.

@jhipster/developers Did we do anything about the headers for our generated apps already?

For www.jhipster.tech, it is served by Github Pages so I'm not sure we can do much. However for start.jhipster.tech, it's a JHipster app so we should be setting the CSP headers to improve security.

We should set all security headers by default and document them on a special page. The Spring Security docs, document them well: https://docs.spring.io/spring-security/site/docs/5.2.x/reference/html5/#default-security-headers-2

However this might impact the development experience, @mraible what do you think ?

It'd be cool to write some documentation on how to get from having a C to an A. I don't care if it's Heroku or someone else, but it'd be similar to https://developer.okta.com/blog/2019/04/11/site-security-cloudflare-netlify.

I will work on that. I propose to deny the page to be framed (or same origin) currently we do not send any information about that. Furthermore I would set the referrer policy to strict-origin-when-cross-origin.

For the headers feature-policy and ~content-security~ I think we should document that, as they are highly specific imho. For jhipster online we should set all headers with the features we want to allow. I can also do that.
Edit: We can set default-src 'self' for content-security which seems to be a reasonable default.

@jhipster/developers We could also set a very restrictive feature-policy (e.g. deny all features for example or only allow fullscreen).

Finally it looks like this:
Before:

After:

We need to set both unsafe-inline and unsafe-eval for the script sources in the content-security header, which reduces our rating to A. It seems angular or some plugin uses inline or eval somewhere.

What do you think? Leave the content-security header or set it with some "insecure" settings? https://securityheaders.com/?q=https%3A%2F%2Fgradleheroku.herokuapp.com%2F&followRedirects=on

With reference to https://stackoverflow.com/questions/57500340/jhipster-doesnt-open-file-uploaded/57505766#57505766 and https://github.com/jhipster/generator-jhipster/issues/10227. Maybe we need to add information about adding exceptions to content security policy in our documentation? I can add this if you like. 😄

We should allow downloading uploaded files by default I would say. So we
should open a bug to track that.

On Thu, Aug 15, 2019, 18:39 Sudharaka Palamakumbura <
[email protected]> wrote:

With reference to
https://stackoverflow.com/questions/57500340/jhipster-doesnt-open-file-uploaded/57505766#57505766
and #10227 https://github.com/jhipster/generator-jhipster/issues/10227
Maybe we need to add information about adding exceptions to content
security headers in our documentation? I can add this if you like. 😄

—
You are receiving this because you were assigned.
Reply to this email directly, view it on GitHub
https://github.com/jhipster/generator-jhipster/issues/9549?email_source=notifications&email_token=AABRVCO4KGKFCMIUFECHNMLQEWBE5A5CNFSM4HE6ROOKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD4MKQ2Q#issuecomment-521709674,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AABRVCLOR5PO4BVZBYTV57TQEWBE5ANCNFSM4HE6ROOA
.

@atomfrede I fully agree with you and no need to open a new bug, just re-open #10227