Hi Jason,
> <
http://observatory.mozilla.org> and discovered our SSP IdP gets a
> fairly bad score.
>
> It's marked down for lack of CSP, CORS,
> SRI, X-Content-Type-Options, X-Frame-Options as well as lack of Pinning
> - but I don't care about that :-)
>
> Anyway, I was thinking that as our SSP IdP relies on no other websites,
> I can probably looks at installing the appropriate headers/etc to make
> all those "negative" comments disappear, but then I thought this might
> be something that should be built in? I appreciate a lot of this is
> context-sensitive: people doing wild things within their IdP plus such
> default security settings could make for disaster - but it would
> probably be absolutely fine for the majority of sites using SSP?
I think indeed a good IdP should have a high score on this test.
SSP already does some things in regard to thse tests, e.g. default to
secure, httponly cookies, and send X-Frame-Options.
But at least in our environment, we now currently tend to consider this
a webserver configuration mostly, not an application configuration. Just
like SSP the application itself will not give you a high SSLLabs score.
Different sites can have differerent requirements and just setting
Strict-Transport-Security unconditionally is unpractical at least.
Of course we could build then all into SSP, and add options to control
whether or not these headers will be sent. And what values SSP will
send. But we already have a highly configurable part of our stack in
this regard, which is the web server. It's trivial to add these headers
in Apache or nginx. And you have all the flexibility that you want to
pick and choose what to support.
So maybe we should just document to consider doing this there, or add
some examples even.
What do you think?
Cheers,
Thijs