add meteor to http headers #34
Description
Hi,
First off: Thanks for an insightful (and outcome-oriented) article.
I realize Meteor isn’t really the cool kid on the block anymore, but I personally use it to quickly prototype apps. Thought I’d share the resources I’ve found in relation to the topics covered in your blog post:
X-XSS-Protection
Content Security Policy
X-Frame-Options
X-Content-Type-Options
For a simplified setup of the above, there’s a package ‘browser-policy’, the can be used: https://atmospherejs.com/meteor/browser-policy
HTTP Strict Transport Security (HSTS)
https://gist.github.com/strikeout/7447575
Referrer-Policy
https://gist.github.com/bjornlll/0e3b397808acb659b2b5588d9bd629cc
Cookie Options
https://github.com/VeliovGroup/Meteor-Cookies
It should be noted that most of the above fixes that relates to HTTP headers is probably better configured on whichever proxy the target Meteor deployment is using, e.g. Nginx.
Thanks for a great post. I’ll be implementing all of the above in present and future apps that I’ll be rolling out.
Best,
Björn