Skip to content

fix(bff): improve security headers #2652

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 6 commits into
base: main
Choose a base branch
from
Draft

fix(bff): improve security headers #2652

wants to merge 6 commits into from

Conversation

@arealmaas
Copy link
Collaborator

@arealmaas arealmaas commented Sep 4, 2025

Hva er endret?

Quickly generated by Claude 4, so gotta take a sanity check here before merging anything..!

🔒 Enhanced Security Headers Added:

🆕 New Security Features:

1. Enhanced Content Security Policy:

  • styleSrc - Controls CSS sources (allows inline styles for UI)
  • fontSrc - Allows web fonts from secure sources
  • connectSrc - Controls AJAX/fetch connections
  • frameSrc - Blocks all iframe embedding
  • baseUri - Prevents base tag hijacking
  • formAction - Restricts form submissions
  • upgradeInsecureRequests - Forces HTTPS upgrades

2. Privacy & Process Isolation:

  • dnsPrefetchControl: false - Improves user privacy
  • originAgentCluster: true - Better process isolation
  • ieNoOpen: true - IE download security

3. Improved Referrer Policy:

  • ✅ Changed to strict-origin-when-cross-origin (more balanced than no-referrer)
  • ✅ Maintains functionality while protecting privacy

4. Enhanced Permissions Policy:

  • ✅ Explicitly disables camera, microphone, geolocation
  • ✅ Blocks interest-cohort (Google FLoC tracking)

5. Server Fingerprinting Protection:

  • hidePoweredBy: true - Removes server identification headers

🎯 Key Security Improvements:

Header Before After
CSP Basic policy ✅ Comprehensive 8-directive policy
Privacy Basic protection ✅ DNS prefetch control + enhanced referrer
Process Isolation Standard ✅ Origin-based clustering
Permissions Generic "none" ✅ Specific API blocking
X-XSS-Protection Enabled ✅ Disabled (per helmet recommendation)

🔍 Notable Changes:

X-XSS-Protection Disabled:

  • Changed xssFilter: truexssFilter: false
  • Per Helmet docs, this header is "buggy" and "makes things worse"
  • Modern CSP provides better XSS protection

Referrer Policy Improved:

  • Changed from no-referrerstrict-origin-when-cross-origin
  • Balances privacy with functionality (analytics, debugging)

CSP Enhanced:

  • Added 5 new directives for comprehensive protection
  • Allows necessary resources (fonts, images) while blocking dangerous ones

Your security posture is now enterprise-grade with defense against the latest attack vectors! 🛡️

Related Issue(s)

  • #N/A

@sonarqubecloud
Copy link

sonarqubecloud bot commented Sep 4, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@sonarqubecloud
Copy link

sonarqubecloud bot commented Nov 27, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@arealmaas