[openstreetmap/openstreetmap-website] Improve HTTPS security (#3108)

Tom Hughes notifications at github.com
Fri Feb 19 12:48:24 UTC 2021


They're all wrong though, or deliberate decisions.

The first is wrong, or at least irrelevant, because we redirect to https and have HSTS enabled and preloaded. We just don't forbid http loading in the CSP because we don't have control over what resources we might need to load from third party sites - for example if somebody uses an http link for an image in a diary post.

The second (as they even admit) is again largely irrelevant because redirect to https and have HSTS enabled and preloaded. We probably should set it but virtually nobody will ever load a page over http with a session cookie because of HSTS.

The third is entirely deliberate so that third parties can use the API!

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/3108#issuecomment-782053785
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20210219/8aec7aa1/attachment.htm>


More information about the rails-dev mailing list