Security improvements

[resir014]

Overview

This is a master issue to track all security-related improvements to WBW.

Currently the WBW website is still missing some essential security headers, as detected by securityheaders.com

Current Tasks

• Add security.txt file to make it easier for security researchers to submit security vulnerability reports #482
• Prevent clickjacking with X-Frame-Options: DENY header #608
• Prevent content type sniffing with X-Content-Type-Options: nosniff header #609
• Add a Permissions-Policy header to disallow features that we don't use #610
• Add a Content-Security-Policy header to prevent cross-site scripting (XSS) attacks #611
• Migrate to typesense as search backend #374

[resir014]

Thanks to the changes implemented here, our security score is now at A. 🎉

However, we still need to implement proper security vulnerability reporting measures, as dictated by #482. Please direct all attentions for this epic to that issue from now on.

[resir014]

All of these tasks are done!

However, Snyk still gives us a security score of B, due to our use of Lodash, as mentioned here:

Shall we keep this issue open until this issue is resolved, or should we close this and let this be tracked in #374? @zainfathoni @mazipan

[zainfathoni]

Let's keep it open and add #374 as a task in this epic since we can track the same issue in multiple epics.
That would emphasize the importance of #374.