Mailing List Archive

Security Concerns
Hello,

It was recently brought to my attention that our website may be missing some HTTP security headers, leading to vulnerabilities. After doing some research, it seemed to me that the most prevalent ones are the following:

- X-Frame-Options
- Content-Security-Policy
- Strict-Transport-Security

After reading about each one, they all seemed valuable in their own way. However, I wanted to hear some other opinions from folks using Interchange. Has anyone here implemented these security features? If so, do you feel that they are beneficial in preventing any breaches to your website?

Any advice or input is helpful and much appreciated. Thank you for your time.

Best,
Mihai Dan
Air Delights



_______________________________________________
interchange-users mailing list
interchange-users@interchangecommerce.org
https://www.interchangecommerce.org/mailman/listinfo/interchange-users
Re: Security Concerns [ In reply to ]
On Thu, 5 Nov 2020, mihai@airdelights.com wrote:

> It was recently brought to my attention that our website may be missing
> some HTTP security headers, leading to vulnerabilities. After doing some
> research, it seemed to me that the most prevalent ones are the
> following:
>
> - X-Frame-Options
> - Content-Security-Policy
> - Strict-Transport-Security
>
> After reading about each one, they all seemed valuable in their own way.
> However, I wanted to hear some other opinions from folks using
> Interchange. Has anyone here implemented these security features?

Yes.

> If so, do you feel that they are beneficial in preventing any breaches
> to your website?

Yes.

Using X-Frame-Options and Content-Security-Policy to limit what frames and
scripts can be used on a page, where external elements can come from, etc.
is very worthwhile, but when adding them to existing sites it can take a
lot of work to ensure you don't break intended functionality.

Strict-Transport-Security is simpler, if your site is all running over
HTTPS already. Just be careful about making it apply to subdomains if
you're not certain all subdomains can be HTTPS only. One way to tread
cautiously here is to set the TTL to a few seconds, a minute at most, so
if you discover it caused problems you can remove it and users won't face
breakage for too long.

Jon


--
Jon Jensen
End Point Corporation
https://www.endpoint.com/
_______________________________________________
interchange-users mailing list
interchange-users@interchangecommerce.org
https://www.interchangecommerce.org/mailman/listinfo/interchange-users