login
Questions
Unanswered
Tags
Users
Ask a Question
My Feed
G2G Help
Categories
All categories
The Tree House
(45.4k)
Appreciation
(19.3k)
Genealogy Help
(99.3k)
Photos
(5.4k)
Policy and Style
(16.2k)
Requests for Project Volunteers
(3.3k)
WikiTree Help
(16.2k)
WikiTree Tech
(17.2k)
TLS config + HTTP headers
+4
votes
124
views
There are a few details that could be tuned in the TLS and HTTP configurations:
The list of supported TLSv1.2 cipher suites could be narrowed down to only the recommended ciphers (forward secrecy, DHE, no CBC). In my opinion, security is more important than supporting the 1% of users with unsupported browsers on unsupported OS. Having either supported browser or supported OS is enough to have modern cipher suites in TLSv1.2. See details here:
https://www.ssllabs.com/ssltest/analyze.html?d=www.wikitree.com
As HSTS is used, all communication is done over HTTPS, so using the "__Secure-" prefix and the "Secure" flag is recommended for cookies to help prevent stealing user's session
https://infosec.mozilla.org/guidelines/web_security#cookies
Some scripts and stylesheets are referenced with "same protocol" - like src="//ajax.googleapis.com/ajax/libs/jquery/3.7.0/jquery.min.js". This should explicitly state "https://" - like src="
https://ajax.googleapis.com/ajax/libs/jquery/3.7.0/jquery.min.js"
The "X-Content-Type-Options: nosniff" header costs nothing and prevents from script injection - see
https://infosec.mozilla.org/guidelines/web_security#x-content-type-options
The "Referrer-Policy" header should be set either to "strict-origin" or to "strict-origin-when-cross-origin"
The "X-Frame-Options" header should be set unless there is a good reason for a use-case with WikiTree in an iframe - see
https://infosec.mozilla.org/guidelines/web_security#x-frame-options
"Content-Security-Policy" could be configured, but that is a rabbit hole
https://infosec.mozilla.org/guidelines/web_security#content-security-policy
Similar with "Permissions-Policy" - see
https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/
improvements
asked
Feb 11
in
WikiTree Tech
by
Vojta Miklín
G2G Crew
(
810
points)
Please
log in
or
register
to add a comment.
Please
log in
or
register
to answer this question.
1
Answer
+10
votes
Best answer
Thanks Vojta, I've passed these suggestions on to our server admin and main programmer.
answered
Feb 13
by
Jamie Nelson
G2G6 Pilot
(
636k
points)
selected
Feb 13
by
Vojta Miklín
Please
log in
or
register
to add a comment.
Related questions
+8
votes
1
answer
533
views
Why am I able to create a new profile without any headers?
asked
Apr 23, 2023
in
WikiTree Tech
by
Kathy Nava
G2G6 Pilot
(
312k
points)
bugs
improvements
+16
votes
1
answer
209
views
Can Wikitree email headers be improved?
asked
Mar 21, 2018
in
WikiTree Tech
by
Kevin Huscroft
G2G1
(
1.6k
points)
notifications
email
improvements
+5
votes
3
answers
330
views
Help please with understanding the headers on this German marriage record
asked
Aug 21, 2022
in
Genealogy Help
by
Kathy Webster
G2G6 Mach 1
(
13.9k
points)
germany
marriage_records
+6
votes
0
answers
149
views
Why is there so much white space after headers
asked
Nov 19, 2020
in
WikiTree Help
by
Karan Folsom
G2G2
(
2.2k
points)
formatting
biographies
+6
votes
3
answers
366
views
Character Limits in Headers?
asked
Dec 30, 2019
in
Genealogy Help
by
Jillaine Smith
G2G6 Pilot
(
915k
points)
data_doctors
db_error_822
style
biographies
+6
votes
2
answers
227
views
Language of headers/titles
asked
Jul 19, 2019
in
Policy and Style
by
Antonia Reuvers
G2G6 Mach 5
(
58.3k
points)
formatting
language
sweden
+14
votes
4
answers
358
views
Sub headers, have we changed the norm?
asked
Mar 16, 2019
in
Policy and Style
by
Bobbie Hall
G2G6 Pilot
(
351k
points)
formatting
data_doctors
greeters
+4
votes
1
answer
95
views
GEDCOM Import bug: spaces in headers
asked
May 18, 2017
in
WikiTree Tech
by
Antoine Alarie
G2G3
(
3.1k
points)
gedcom
tech
+16
votes
1
answer
332
views
Abbreviations in G2G Question Headers
asked
Mar 23, 2017
in
The Tree House
by
Kristina Adams
G2G6 Pilot
(
354k
points)
+2
votes
0
answers
88
views
Has http://ma-vitalrecords.org been slaughtered?
asked
Jan 23
in
The Tree House
by
Gillby Weldon
G2G6
(
6.1k
points)
WikiTree
~
About
~
Help
~
Search
~
Surname
:
...