Summary*
Improve website security by adding missing HTTP security headers and fixing unsafe external link behavior.
Context*
The security audit identified multiple missing security-related headers and external link issues.
Missing/improvable headers:
- Content-Security-Policy
- X-Frame-Options
- Permissions-Policy
- Referrer-Policy
Additional issue:
- External link using target="_blank" without rel="noopener"
Why is this needed?
Security headers:
- reduce attack surface
- improve browser security
- prevent clickjacking
- improve production readiness
Tasks
- Add Content-Security-Policy header
- Add X-Frame-Options header
- Add Permissions-Policy header
- Add Referrer-Policy header
- Fix external link security attributes
- Improve HSTS configuration
Acceptance criteria*
- Security headers are present in production responses
- External links using target="_blank" include rel="noopener noreferrer"
- Security audit score improves
- No functionality breaks after implementation
Suggested approach
Helpful resources:
- MDN Web Docs
- Next.js headers configuration
- Helmet.js documentation
Test using:
- securityheaders.com
- browser network inspector
Out of scope
- Full authentication system
- Backend infrastructure redesign
Remember, contributions to this repository should follow its contributing guidelines, security policy and code of conduct.
Summary*
Improve website security by adding missing HTTP security headers and fixing unsafe external link behavior.
Context*
The security audit identified multiple missing security-related headers and external link issues.
Missing/improvable headers:
Additional issue:
Why is this needed?
Security headers:
Tasks
Acceptance criteria*
Suggested approach
Helpful resources:
Test using:
Out of scope
Remember, contributions to this repository should follow its contributing guidelines, security policy and code of conduct.