Improve default security with headers?

I’m wondering if perhaps Meteor should set certain headers like Cross-Origin-Opener-Policy to same-origin by default, etc, to make Meteor apps more tamper proof, as well as enabling cool features like SharedArrayBuffer by default.

It seems like a good idea to start with the most secure settings, then the docs can guide people how to relax settings.

Currently I do this manually by intercepting requests with WebApp.rawHandlers.

I also see there’s a BrowserPolicy API available to control some of these features, but I think the docs can be improved a bit to explain how each setting maps to specific headers. Plus, some headers, like Cross-Origin-Opener-Policy, are still not enabled by default (even if there may be a BrowserPolicy API for them, but I’m not sure from a skim of those docs).

Other frameworks default to same-origin for Cross-Origin-Opener-Policy, etc. For example the pgadmin4 setting and Django setting

The idea is n00bs making apps will be most protected by default, and people who learn security can strategically relax rules.

Thoughts?

Coincidentally, a related topic: Content Security Policy in 3.4

Today we recommend to use helmet for http headers, but I agree with you since meteor is an opined framework it shold be safe by default.

Do you mind to open an issue about it? I will label it as a good-first-issue

I believe it might be a good time to revisit this. Please consider re-opening it @italojs

Tracked in GitHub · Where software is built

Coincidentally this thread in GitHub Discussion, Content Security Policy 🛂 · meteor/meteor · Discussion #11591 · GitHub, is second most recent. (EDIT: Oh that’s because you just commented there Italo )

(as these forums already exist, it might be nice to have a feature request category here, instead of two forums, and link the issue template to here).