TLS config + HTTP headers

Question

There are a few details that could be tuned in the TLS and HTTP configurations: 

• The list of supported TLSv1.2 cipher suites could be narrowed down to only the recommended ciphers (forward secrecy, DHE, no CBC). In my opinion, security is more important than supporting the 1% of users with unsupported browsers on unsupported OS. Having either supported browser or supported OS is enough to have modern cipher suites in TLSv1.2. See details here: https://www.ssllabs.com/ssltest/analyze.html?d=www.wikitree.com
• As HSTS is used, all communication is done over HTTPS, so using the "__Secure-" prefix and the "Secure" flag is recommended for cookies to help prevent stealing user's session https://infosec.mozilla.org/guidelines/web_security#cookies
• Some scripts and stylesheets are referenced with "same protocol" - like src="//ajax.googleapis.com/ajax/libs/jquery/3.7.0/jquery.min.js". This should explicitly state "https://" - like src="https://ajax.googleapis.com/ajax/libs/jquery/3.7.0/jquery.min.js"
• The "X-Content-Type-Options: nosniff" header costs nothing and prevents from script injection - see https://infosec.mozilla.org/guidelines/web_security#x-content-type-options
• The "Referrer-Policy" header should be set either to "strict-origin" or to "strict-origin-when-cross-origin"
• The "X-Frame-Options" header should be set unless there is a good reason for a use-case with WikiTree in an iframe - see https://infosec.mozilla.org/guidelines/web_security#x-frame-options
• "Content-Security-Policy" could be configured, but that is a rabbit hole https://infosec.mozilla.org/guidelines/web_security#content-security-policy
• Similar with "Permissions-Policy" - see https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/

Answer 1

Thanks Vojta, I've passed these suggestions on to our server admin and main programmer.