akka/akka-http

Add HTTP security headers

Open

#155 opened on Sep 8, 2016

View on GitHub
 (4 comments) (0 reactions) (0 assignees)Scala (1,311 stars) (598 forks)batch import
1 - triagedhelp wantednice-to-have (low-prio)

Description

Issue by pawelprazak Monday Apr 18, 2016 at 14:58 GMT Originally opened as https://github.com/akka/akka/issues/20357

OWASP lists the most common security related headers:

  • X-Frame-Options
  • X-Content-Type-Options
  • X-XSS-Protection
  • Content-Security-Policy
  • Public-Key-Pins
  • Strict-Transport-Security

Do you plan to add them, or is it out of scope?

If I would to make a pull request, is this the right place to start:

  • akka.http.scaladsl.model.headers
  • akka.http.javadsl.model.headers
  • akka.http.impl.model.parser

Contributor guide

Tech stack
javascala
Domain
backendsecurity
Issue type
feature
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Scala programmingAkka HTTP basics
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
40
Research direction
Implement the OWASP security headers as model classes and parsers. Start by examining the existing header models in akka.http.scaladsl.model.headers and akka.http.javadsl.model.headers for pattern, then add new header classes for each security header. Also need to update the parser in akka.http.impl.model.parser to recognize the new headers. Note that this issue is from 2016, so verify the current codebase structure and ensure compatibility with the latest version.