A community member discovered a tool called "HTTP Observatory" on MDN and used it to analyze their Webstudio-hosted websites. The tool reported some issues, and the community member is unsure if these can be addressed on their side (e.g., through Cloudflare) or if it requires action from Webstudio. The community members discuss whether these issues are security concerns that need to be addressed, with some suggesting that the headers can be set through the framework or meta tags, and that a permissive model may be sufficient. They decide to create an issue on the Webstudio repository to document the discussion and determine the appropriate course of action.
The attached image has the same issues on a few sites that I've published with Webstudio. Is this something that can be improved on my side (cloudflare or within the builder) or will it need to be Webstudio hosting?
You can surely set them if you proxy requests via worker or maybe even just in cf settings not sure, but we should set those headers ourselves anyways.
I am not sure any of these are actually a security threat in our case @Ivan Starkov would know more
All such headers are usually on framework ie remix in our case. Anyway same can be done with meta tags - <meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src https://*; child-src 'none';" /> Not sure we need this as we are allowing 3rd party scripts, we are allowing 3rd party images etc. And as of now default policies covers this
should we create an issue to keep these reports somewhere in case this discussion comes up again? would be good to have a pointer to link to with these specific answers there
I think there are 3 headers mentioned there, are they all not a security issue? Can you please address each of them individually in the issue. If its not a security concern, its fine, I just want to have a written statement in the issue I can link to if this comes up again.