Feature-Policy updates - now required for an A+ on SecurityHeaders.com

In my blog post and DjangoCon Europe talk earlier this year How to Score A+ for Security Headers on Your Django Website, I covered that Feature-Policy was a “bonus header”. In a recent update, Scott Helme wrote that an A+ on SecurityHeaders.com now requires Feature-Policy. Also it no longer requires X-Xss-Protection (though it’s still a good idea).

Chrome also has some Feature-Policy support enabled by default, so most users will be protected when it’s set. Previously it was hidden behind the “experimental web features” flag, but this is now only used for enabling Feature-Policy support for certain features.

Opening the JavaScript console and querying for the list of features on Chrome 75 without the experimental flag on, I see 18 features allowed:

> document.featurePolicy.allowedFeatures()
< [
  "accelerometer",
  "ambient-light-sensor",
  "autoplay",
  "camera",
  "encrypted-media",
  "focus-without-user-activation",
  "fullscreen",
  "geolocation",
  "gyroscope",
  "magnetometer",
  "microphone",
  "midi",
  "payment",
  "picture-in-picture",
  "speaker",
  "sync-xhr",
  "usb",
  "vr",
]

I added some updates to my how-to on these changes. If you haven’t set the header previously, consider adding it for that sweet A+ score!

You can add it on your Django apps with my django-feature-policy package. I updated django-feature-policy this morning to version 3.0.0 to include the latest set of features.

Since I don't use any of these features, I have disabled them all on my personal website. I did this by setting the header with a policy for all 18 like so:

Feature-Policy: accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; encrypted-media 'none'; focus-without-user-activation 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vr 'none'

My site is hosted on CloudFront, so I set the header with Lambda@Edge as I covered here.

It now scores a mere A:

My score is capped at an A because of two new warnings:

Content-Security-Policy - This policy contains ‘unsafe-inline’ which is dangerous in the style-src directive.

SecurityHeaders.com is now more strict about CSP. It’s fair enough that I’m marked down for allowing inline CSS. I am using it to slightly optimize page speed, but this can open up a potential XSS attack vector.

My site is statically generated so it’s not really a risk, but I should probably move off inline CSS.

Feature-Policy - We detected an invalid directive, “focus-without-user-activation”.

I think this is a feature that needs adding to SecurityHeaders.com, since I pulled it from the latest Chrome list.

If your Django project’s long test runs bore you, I wrote a book that can help.

One summary email a week, no spam, I pinky promise.

Related posts:

• How to Score A+ for Security Headers on Your Django Website
• Scoring A+ for Security Headers on My Cloudfront-Hosted Static Website
• Getting a Django Application to 100% Test Coverage

Tags: django