Security Headers
32 views
Skip to first unread message
paul...@dans.knaw.nl
Feb 1, 2023, 4:10:37 AM2/1/23
to Dataverse Users Community
Hi everyone,
After a security 'test' of our Dataverse we decided to have a look at the Security Headers. There seems to be a lot we can set to improve security; X-Content-Type-Options, Referrer-Policy and Permissions-Policy to name a few.
The X-Frame-Options however is a potential blocker for previewers and 'widgets'.
Our previewers are running from the same domain, so for us it's no problem and otherwise you could whitelist the previewers location. But these Widgets seem more problematic, because any client could use them on their site. Is there a way to 'secure' Dataverse from framing, but allow the widgets?
The other thing is the Content-Security-Policy, not sure what the best thing is to do for that one. The URL 'https://dataverse.harvard.edu/dataverse/harvard' has Content-Security-Policy: frame-ancestors 'none'. Is that something we should all have in place?
Cheers,
Paul
B.T.W. any tips on what is best practice for those headers is welcome.
After a security 'test' of our Dataverse we decided to have a look at the Security Headers. There seems to be a lot we can set to improve security; X-Content-Type-Options, Referrer-Policy and Permissions-Policy to name a few.
The X-Frame-Options however is a potential blocker for previewers and 'widgets'.
Our previewers are running from the same domain, so for us it's no problem and otherwise you could whitelist the previewers location. But these Widgets seem more problematic, because any client could use them on their site. Is there a way to 'secure' Dataverse from framing, but allow the widgets?
The other thing is the Content-Security-Policy, not sure what the best thing is to do for that one. The URL 'https://dataverse.harvard.edu/dataverse/harvard' has Content-Security-Policy: frame-ancestors 'none'. Is that something we should all have in place?
Cheers,
Paul
B.T.W. any tips on what is best practice for those headers is welcome.
Philip Durbin
Mar 23, 2023, 4:45:59 PM3/23/23
to dataverse...@googlegroups.com
Hi Paul,
As you know (but for others), the conversation is taking place here: https://github.com/IQSS/dataverse-security/issues/28
Thanks,
Phil
--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/e340ac3a-e9da-441e-95eb-d50f555e2166n%40googlegroups.com.
--
Philip Durbin
Software Developer for http://dataverse.org
http://www.iq.harvard.edu/people/philip-durbin
Software Developer for http://dataverse.org
http://www.iq.harvard.edu/people/philip-durbin
Reply all
Reply to author
Forward
0 new messages