Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Content Security Policy #530

Open
colbymorrison opened this issue Aug 28, 2020 · 0 comments
Open

Update Content Security Policy #530

colbymorrison opened this issue Aug 28, 2020 · 0 comments
Labels
security security stuffs

Comments

@colbymorrison
Copy link
Contributor

We can ensure more security by updating the Content Security Policy header (which is currently only frame-ancestors 'none'). This ensures scripts, http, styles, fonts, and other data are only loaded from trusted sources. A good resource can be found here. The work here is to figure out exactly which sources we currently load things from, such as firebase and the google apis, and whitelist them in the CSP. A missing whitelist could break the functionality of the site. This header (and other extra HTTP headers) are configured via an AWS Lambda@Edge function which can be edited from the Covid Watch AWS.

@colbymorrison colbymorrison added the security security stuffs label Aug 28, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
security security stuffs
Projects
None yet
Development

No branches or pull requests

1 participant