2023-06-23, 07:32 PM
My initial thoughts are:
- CSRF tokens would be good to add, but probably a lower priority than some of the other known issues atm. (This will require a coordinated effort between server and web.)
- Our reverse proxy documentation does cover adding CSP headers, and we are somewhat limited with what we can add to avoid breaking apps that bundle or wrap the web interface, but we could probably ship some less strict defaults. (This would largely fall on the server side to implement.) There are a couple existing issues and feature requests that are tracking this.
- This one looks like a false positive. It seemed to pickup some of our help text for adding server urls as hardcoded IP addresses. We've seen similar false reports for version number checks that use four digits (i.e. 3.4.1.2).
