This an extension of Security Headers , in a Caddy-style, make it easy to make is secure, and provide good and secure defaults.
Wouldn’t it be cool if I could just say:
security_template HIGH
and it will:
- upgrade all my Cookie requests to Secure; HttpOnly if they miss that.
- Set Referer-Policy: no-referrer, strict-origin-when-cross-origin
- Remove (not set) Server and Version headers.
- Remove any set cookies (i.e. from proxied requests, manual header calls, or from cgi) that do not set Max-Age.
- Set X-Frame-Options: SAMEORIGIN // for older browsers that do not support CSP
- Strict-Transport-Security: max-age=63072000; // I guess this is already done by Caddy?
- X-XSS-Protection: 1; mode=block // for older browsers that do not support CSP
- X-Content-Type-Options: nosniff
- Remove any Access-Control-Allow-Origin: *, if it is set by accident.
- Set X-Content-Security-Policy automatically based on Content-Security-Policy for older browsers.
- Set Content-Security-Policy: default-src ‘none’; img-src ‘self’ data: https:; font-src ‘self’ ‘https://fonts.googleapis.com’; object-src ‘none’; script-src ‘self’ ‘unsafe-inline’; style-src ‘self’; frame-ancestors ‘self’; connect-src ‘self’
security_template ULTRA
could have few tweaks.
- Reject all cookies in both ways, and clear cookies that are sent by client, unless they are on a whitelist or prefixed with __Secure
- Set Referrer-Policy: no-referrer
- Set X-Frame-Options: DENY
- Strict-Transport-Security: like before, but with “includeSubDomains; preload”
- Require configuring Public-Key-Pins: header.
- Automatically serve /robots.txt with blocking all crawling.
- Even stricter CSP. (no google fonts, no external images, even over https, and no unsafe-inline for scripts). frame-ancestors ‘none’; connect-src ‘none’ , etc.
- Require setting up report-uri for CSP.
- Require that the proper single Domain is set on Set-Cookie.
- Strip Referer from clients, and do not send to cgi scripts.
security_template NONE - do not do any magic, beyond maybe Strict-Transport-Security
security_template NORMAL - disable few things, similar to HIGH, but maybe allow object-src, plugin-types, connect-src, frame-ancestors in CSP (from self only or self + https).
There should be a way to:
- Modify CSP manually (i.e. append, or modify existing items on the list).
- Remove or set headers manually after setting up the template. Warn if they are redundant with the template!
- Version templates. Caddy developers should have a way to upgrade templates to better default in the future, but users should be able to pin to specific template version. I.e. HIGH.1.0
- ULTRA would be unstable by design. Non versioned. Sure, it can break the site after upgrade, but well, you opted into it, and better fix your site, or add some whitelisting if you want to be sure it works.
For example it would be nice to have Caddy verify that if CSP has nonce type set, all specific resources does have some nounce set (it doesn’t need to check if they are correct really). I know, it requires some form of HTML parsing, so maybe not really, but it could be a plugin in the future that is enabled by default at ultra level. Just an option and idea.
Another similar option, make sure the cross origin resources (i.e. jquery scripts) do have integrity tags (content hashes), and crossorigin=“anonymous” attributes set. Again, a bit tricky without plugin with some HTML parsing. Again, an idea for the future.
I know this is hard, and far reaching, but I think it might be worth it. Most people do not even know about these headers, and all the semantic behind them.