security/hakurei.app
security/hakurei.app
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 4 Wiki Activity
4,233 Commits 2 Branches 4 Tags
Commit Graph

39 Commits

Author SHA1 Message Date
Daniel Micay
3991e51b7e remove legacy Expect-CT header 2022-08-25 23:15:08 -04:00
Rohan Kumar
d6fd0df002 Add "Origin-Agent-Cluster" header 
Hint to browsers that we prefer per-origin process isolation. This
disables certain unsafe features regarding cross-origin same-site
resource sharing.

https://web.dev/origin-agent-cluster/#limitations

Specification link:
https://html.spec.whatwg.org/multipage/origin.html#origin-keyed-agent-clusters

This is just a hint to browsers. Depending on resource availability,
they may or may not actually allocate a process. For this reason, it's
not a robust security feature although it is preferable.

This header needs to be active on all pages from an origin for it to
work.
 2022-08-25 23:15:08 -04:00
Daniel Micay
e7efc21340 drop configuration for clearing legacy push cookie 2022-05-03 00:25:07 -04:00
June
b77821f4a5 add gamepad and speaker-selection to permissions policy 
Signed-off-by: June <zanthed@riseup.net>
 2022-04-18 17:06:28 -04:00
Daniel Micay
1bfe29f2eb rename push cookie for clarity 2021-12-11 10:18:04 -05:00
Daniel Micay
a9a1a3987a add preload/push for main page phone image 2021-12-11 09:50:51 -05:00
Daniel Micay
ebbf002a73 disable legacy X-XSS-Protection feature 2021-12-10 04:30:34 -05:00
Daniel Micay
7010b230c5 use http2_push instead of http2_push_preload 
This avoids needing to conditionally add nopush to each preloaded
resource in the Link header. There's also no support for pushing
JavaScript modules via http2_push_preload since nginx doesn't have
support for rel=modulepreload.
 2021-12-05 02:48:44 -05:00
Daniel Micay
fddfa68695 avoid sending unnecessary push cookie 2021-12-04 07:59:53 -05:00
Daniel Micay
fd59a56501 disable idle-detection in Permissions-Policy 2021-11-24 02:10:25 -05:00
Daniel Micay
2d079162d4 mark Expect-CT as largely obsolete 2021-06-08 12:27:04 -04:00
Daniel Micay
5e83027d04 disable unused Clipboard API features 2021-04-18 00:49:50 -04:00
Daniel Micay
1f027a3fce disable unused hid (WebHID API) feature 2021-04-18 00:40:47 -04:00
Daniel Micay
380e34f435 disable unused serial (Web Serial API) feature 2021-04-18 00:37:16 -04:00
Daniel Micay
3584a627f8 disable interest-cohort feature 2021-04-18 00:34:46 -04:00
Daniel Micay
3cfe562892 enforce strict Trusted Types without policies 2021-03-26 13:44:32 -04:00
Daniel Micay
a0d93f3375 explicitly set SameSite for preload session cookie 2021-03-23 10:46:50 -04:00
Daniel Micay
f298ee4b2b use once per session preload / push 2021-02-15 04:23:56 -05:00
Daniel Micay
ba302d9f86 use a single Link header for preloading 2021-02-15 03:41:54 -05:00
Daniel Micay
0c006f9afd add preload headers for core fonts 2021-02-15 03:25:22 -05:00
Daniel Micay
57f77c96cb drop support for obsolete Feature-Policy header 
This has been replaced by Permissions-Policy.
 2021-01-26 10:58:00 -05:00
Daniel Micay
548b13c09d temporarily disable Trusted Types for web-install 
This can be enabled again when the zip library supports it.
 2021-01-23 20:56:05 -05:00
Daniel Micay
fe063f50fe add foundation for WebUSB-based install page 2021-01-05 05:34:45 -05:00
Daniel Micay
d0f56dc6ab document deprecated/obsolete headers 2020-12-31 21:31:07 -05:00
Daniel Micay
dbee9a704c move TLS configuration into nginx.conf 2020-11-14 04:23:19 -05:00
Daniel Micay
d03e7c28b4 add require-trusted-types-for 'script' to CSP 2020-10-27 04:44:58 -04:00
Daniel Micay
e806721d7c add COOP / COEP headers 2020-10-27 04:20:17 -04:00
Daniel Micay
701ed6f301 add Permissions-Policy header 2020-10-03 20:53:38 -04:00
Daniel Micay
99b4037444 disable unused publickey-credentials-get feature 2020-09-27 19:10:27 -04:00
Daniel Micay
f59b4f2310 remove unused Feature-Policy speaker directive 2020-09-27 19:07:05 -04:00
Daniel Micay
c0f510be06 handle Feature-Policy standard renaming wake-lock 2020-09-27 18:54:00 -04:00
Daniel Micay
6d04912ef7 drop (unfortunately) obsolete HPKP support 2020-09-27 16:12:11 -04:00
Daniel Micay
27b24277e1 drop usage of report-uri for Expect-CT and CSP 
This has proven to be unhelpful and we don't need this kind of reporting
with the simplicity of the site and policies.
 2020-07-22 18:41:59 -04:00
Daniel Micay
2343434d83 stop pinning IdenTrust root that's on the way out 2020-04-19 19:20:43 -04:00
Daniel Micay
eb1566f6a1 switch HPKP backup pins 2020-04-07 14:39:56 -04:00
Daniel Micay
ef179138fa certbot-ocsp-fetcher for reliable OCSP stapling 2020-04-05 04:13:05 -04:00
Daniel Micay
3e4ee0cb28 move nginx https setup into a snippet 2020-04-01 10:30:30 -04:00
Daniel Micay
5a923bd1bb remove obsolete HPKP report-uri URL 2020-04-01 08:47:16 -04:00
Daniel Micay
9c1ebdd0d8 add nginx configuration 2020-04-01 03:12:09 -04:00