Feature-Policy updates - now required for an A+ on SecurityHeaders.com2019-08-02
In my blog post and DjangoCon Europe talk earlier this year How to Score A+ for Security Headers on Your Django Website, I covered that
Feature-Policy was a “bonus header”.
In a recent update, Scott Helme wrote that an A+ on SecurityHeaders.com now requires
Also it no longer requires
X-Xss-Protection (though it’s still a good idea).
Chrome also has some Feature-Policy support enabled by default, so most users will be protected when it’s set. Previously it was hidden behind the “experimental web features” flag, but this is now only used for enabling Feature-Policy support for certain features.
I added some updates to my how-to on these changes. If you haven’t set the header previously, consider adding it for that sweet A+ score!
Since I don’t use any of these features, I have disabled them all on my personal website. I did this by setting the header with a policy for all 18 like so:
My site is hosted on CloudFront, so I set the header with Lambda@Edge as I covered here.
It now scores a mere A:
My score is capped at an A because of two new warnings:
Content-Security-Policy - This policy contains ‘unsafe-inline’ which is dangerous in the style-src directive.
SecurityHeaders.com is now more strict about CSP. It’s fair enough that I’m marked down for allowing inline CSS. I am using it to slightly optimize page speed, but this can open up a potential XSS attack vector.
My site is statically generated so it’s not really a risk, but I should probably move off inline CSS.
Feature-Policy - We detected an invalid directive, “focus-without-user-activation”.
I think this is a feature that needs adding to SecurityHeaders.com, since I pulled it from the latest Chrome list.
Go forth in greater security,
- How to Score A+ for Security Headers on Your Django Website
- Scoring A+ for Security Headers on My Cloudfront-Hosted Static Website
- Getting a Django Application to 100% Coverage
© 2020 All rights reserved.