Skip to content

Evaluate security headers for the public documentation site #125

Description

@jeremi

Context

OpenSSF Best Practices asks projects to consider secure delivery of project sites. Registry Stack has a public docs site, but the repo does not currently track a public decision about HTTP security headers for that site.

Scope

  • Inventory which security headers are currently applied to the public docs site, without publishing private hosting details.
  • Decide which headers are appropriate for a static documentation site, such as HSTS, Content-Security-Policy, Referrer-Policy, X-Content-Type-Options, and Permissions-Policy.
  • If the repo owns the deployment header config, add it and verify it.
  • If headers are controlled outside the repo, document the public expectation and the verification command instead.

Done when

  • The repo has a public issue or doc decision for docs-site security headers.
  • The chosen headers are either configured in repo or documented as an operator/deployment requirement.
  • A repeatable check or manual verification command is documented.

Non-goals

  • Do not expose private hosting provider settings, deployment credentials, or internal infrastructure notes.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions