Skip to content

additional 'security' headers when using arc.httpΒ #569

New issue
New issue
Open
Feature
Open
additional 'security' headers when using arc.http#569
Feature
Labels
enhancementhelp wanted
@brianleroux

Description

@brianleroux
brianleroux
opened on Feb 10, 2022

Lighthouse is encouraging applications add the following headers which are essentially default behaviors of Architect anyhow. I'd like to propose that if a developer is using @architect/functions and returning { html: '<strong>my html</strong>' } we add the following headers automatically:

headers['Strict-Transport-Security'] = 'max-age=0'
headers['X-Content-Type-Options'] = 'nosniff'
headers['X-Frame-Options'] = 'DENY'
headers['X-XSS-Protection'] = '1'
  • Strict-Transport-Security tells the browser to use HTTPS. Architect applications use API Gateway which is incapable of HTTP so this one is a very safe default.
  • X-Content-Type-Options indicates the mimes in the Content-Type should be scrictly followed
  • X-Frame-Options prevents loading the page in an iframe
  • X-XSS-Protection is Chrome-only feature and setting it to 1 is declaring the browser default behavior

Of course, developers should be able to override at will by returning their own headers in the response.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementhelp wanted

    Type

    Feature

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions