Security Headers

HTTP headers are the list of name-value pairs that are present in both the requests and responses. They give information about the content being transferred, client/server software, how the content should be handled, and security policies etc.

Following headers must be set in the responses generated by the OpenSpecimen instance. This ensures users have a reduced risk of security issues like XSS, clickjacking, drive-by downloads etc.

Header	Value	Description
X-Content-Type-Options	nosniff	Helps prevent drive-by downloads.
Strict-Transport-Security	max-age=31536000; includeSubDomains	Puts a constraint on the browsers that the OpenSpecimen app should be accessed using HTTPS.
Content-Security-Policy	script-src 'self' 'unsafe-eval';	Allow scripts only from the origin. Helps in preventing XSS.
X-Frame-Options	SAMEORIGIN	Allows framing of pages from the same origin. Helps in preventing click-jacking
Referrer-Policy	same-origin	Prevents sending referrer for cross-origin requests. Prevents accidental data leaks.
Permissions-Policy	accelerometer=(),autoplay=(),camera=(),encrypted-media=(),fullscreen=*,geolocation=(self),gyroscope=(),interest-cohort=(),magnetometer=(),microphone=(),midi=(),payment=(),sync-xhr=(self),usb=(),xr-spatial-tracking=()	Disable all browser features that are not used by the app.

Apache Configuration

Following should be added to the OpenSpecimen app virtual host configuration.

Header always set X-Content-Type-Options nosniff
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set Content-Security-Policy "script-src 'self' 'unsafe-eval';"
Header always unset X-Frame-Options
Header set X-Frame-Options "SAMEORIGIN"
Header always set Referrer-Policy "same-origin"
Header always set Permissions-Policy "accelerometer=(),autoplay=(),camera=(),encrypted-media=(),fullscreen=*,geolocation=(self),gyroscope=(),interest-cohort=(),magnetometer=(),microphone=(),midi=(),payment=(),sync-xhr=(self),usb=(),xr-spatial-tracking=()"