Hi everyone,
After a security 'test' of our Dataverse we decided to have a look at the Security Headers. There seems to be a lot we can set to improve security; X-Content-Type-Options, Referrer-Policy and Permissions-Policy to name a few.
The X-Frame-Options however is a potential blocker for previewers and 'widgets'.
Our previewers are running from the same domain, so for us it's no problem and otherwise you could whitelist the previewers location. But these Widgets seem more problematic, because any client could use them on their site. Is there a way to 'secure' Dataverse from framing, but allow the widgets?
The other thing is the Content-Security-Policy, not sure what the best thing is to do for that one. The URL '
https://dataverse.harvard.edu/dataverse/harvard' has Content-Security-Policy: frame-ancestors 'none'. Is that something we should all have in place?
Cheers,
Paul
B.T.W. any tips on what is best practice for those headers is welcome.