-
Notifications
You must be signed in to change notification settings - Fork 824
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fastly: Include security headers for dl #7278
base: main
Are you sure you want to change the base?
Conversation
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ameukam The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if we're not doing auth or hosting web authentication this is kind of /shrug?
what's the case where we care if a web browser tries to do cross-origin here?
Yes but IMHO it doesn't hurt to have them. We don't know if in the future for examples static pages we host will be become dynamic content. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
set resp.http.Referrer-Policy = "origin-when-cross-origin"; | ||
|
||
if (req.protocol == "https") { | ||
set resp.http.Strict-Transport-Security = "max-age=63072000; includeSubDomains"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could add a comment about how we picked the max age.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sftim Done. PTAL
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/hold
Feel free to unhold after a wait time for folks to cancel it
Related: - kubernetes#7447 We do not capture the latest-1.txt and stable-1.txt due to the regex rule define for all the version markers.
Add Security headers to the VCL service. Ref: - https://web.dev/secure/ - https://infosec.mozilla.org/guidelines/web_security Signed-off-by: Arnaud Meukam <[email protected]>
52075aa
to
17c3fe5
Compare
New changes are detected. LGTM label has been removed. |
@BenTheElder PTAL |
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Add Security headers to the VCL service.
Ref: