You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@pekko.apache.org by "pjfanning (via GitHub)" <gi...@apache.org> on 2024/02/21 22:31:53 UTC

[PR] add security headers [incubator-pekko-site]

pjfanning opened a new pull request, #86:
URL: https://github.com/apache/incubator-pekko-site/pull/86

   I've tried these out on https://pekko.staged.apache.org
   
   these changes get us an A grade on https://securityheaders.com
   
   eg https://securityheaders.com/?q=https%3A%2F%2Fpekko.staged.apache.org%2F&hide=on&followRedirects=on
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org
For additional commands, e-mail: notifications-help@pekko.apache.org

Re: [PR] add security headers [incubator-pekko-site]

Posted by "raboof (via GitHub)" <gi...@apache.org>.

raboof merged PR #86:
URL: https://github.com/apache/incubator-pekko-site/pull/86


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org
For additional commands, e-mail: notifications-help@pekko.apache.org

Re: [PR] add security headers [incubator-pekko-site]

Posted by "raboof (via GitHub)" <gi...@apache.org>.

raboof commented on code in PR #86:
URL: https://github.com/apache/incubator-pekko-site/pull/86#discussion_r1498860684


##########
content/.htaccess:
##########
@@ -55,3 +55,11 @@ RewriteRule ^japi/([^/]+)/1.0.2/(.*)$ https://nightlies.apache.org/pekko/docs/$1
 RewriteRule ^docs/([^/]+)/1.0/(.*)$ https://nightlies.apache.org/pekko/docs/$1/1.0/docs/$2 [P]
 RewriteRule ^api/([^/]+)/1.0/(.*)$ https://nightlies.apache.org/pekko/docs/$1/1.0/api/$2 [P]
 RewriteRule ^japi/([^/]+)/1.0/(.*)$ https://nightlies.apache.org/pekko/docs/$1/1.0/japi/$2 [P]
+
+# Security Headers
+Header set Strict-Transport-Security "max-age=31536000"
+Header set Content-Security-Policy "default-src 'self' https://api.github.com/ https://pekko.apache.org/ ; style-src 'self' https://pekko.apache.org/ 'unsafe-inline' ; script-src 'self' https://pekko.apache.org/ 'unsafe-inline' ; frame-src 'self' ;"

Review Comment:
   to we really want to allow calls to api.github.com? I filed https://github.com/apache/incubator-pekko-sbt-paradox/issues/110 for this, perhaps we should at least link to that from here?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@pekko.apache.org
For additional commands, e-mail: notifications-help@pekko.apache.org