Feature-Policy updates - now required for an A+ on SecurityHeaders.com
In my blog post and DjangoCon Europe talk earlier this year How to Score A+ for Security Headers on Your Django Website, I covered that
Feature-Policy was a “bonus header”. In a recent update, Scott Helme wrote that an A+ on SecurityHeaders.com now requires
Feature-Policy. Also it no longer requires
X-Xss-Protection (though it’s still a good idea).
Chrome also has some Feature-Policy support enabled by default, so most users will be protected when it’s set. Previously it was hidden behind the “experimental web features” flag, but this is now only used for enabling Feature-Policy support for certain features.
> document.featurePolicy.allowedFeatures() < [ "accelerometer", "ambient-light-sensor", "autoplay", "camera", "encrypted-media", "focus-without-user-activation", "fullscreen", "geolocation", "gyroscope", "magnetometer", "microphone", "midi", "payment", "picture-in-picture", "speaker", "sync-xhr", "usb", "vr", ]
I added some updates to my how-to on these changes. If you haven’t set the header previously, consider adding it for that sweet A+ score!
You can add it on your Django apps with my
django-feature-policy package. I updated
django-feature-policy this morning to version 3.0.0 to include the latest set of features.
Since I don't use any of these features, I have disabled them all on my personal website. I did this by setting the header with a policy for all 18 like so:
Feature-Policy: accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; encrypted-media 'none'; focus-without-user-activation 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vr 'none'
My site is hosted on CloudFront, so I set the header with Lambda@Edge as I covered here.
It now scores a mere A:
My score is capped at an A because of two new warnings:
Content-Security-Policy - This policy contains ‘unsafe-inline’ which is dangerous in the style-src directive.
SecurityHeaders.com is now more strict about CSP. It’s fair enough that I’m marked down for allowing inline CSS. I am using it to slightly optimize page speed, but this can open up a potential XSS attack vector.
My site is statically generated so it’s not really a risk, but I should probably move off inline CSS.
Feature-Policy - We detected an invalid directive, “focus-without-user-activation”.
I think this is a feature that needs adding to SecurityHeaders.com, since I pulled it from the latest Chrome list.
If your Django project’s long test runs bore you, I wrote a book that can help.
One summary email a week, no spam, I pinky promise.
- How to Score A+ for Security Headers on Your Django Website
- Scoring A+ for Security Headers on My Cloudfront-Hosted Static Website
- Getting a Django Application to 100% Test Coverage