Infrastructure

With the HTTPS ticket (#2312) pending, the results won't be optimal - but if possible, I'd like to see a first scan by LibOCon, so we know if there is something else that needs to be fixed independently

Eike pointed me to https://webbkoll.dataskydd.net which is an additional service to check with

What prevents us from doing that? This has been pending since last LibOCon actually, and it shouldn't take too much time IMHO to do a first run
Is this sth. maybe another team member can help with?

I'm personally really not fond of the hype for gamification of security, and blindly applying the same scoring algorithm for all services doesn't make sense IMHO. For example for a bunch of static & self-contained pages that are only modifiable by root, a CSP is far less useful than for a forum with user-provided content. Sure, a strict CSP doesn't hurt, but a missing CSP will significantly lower the score equally in both cases, thus in my eyes the score should be taken with a grain of salt. Blindly aiming for a perfect score, and give ourselves a pad on the back and brag about it when/if we're there, isn't necessarily helpful.

FWIW the checks were done a while ago already (2018). Also it's a third party service, no need to have special infra powers for that — some stuff, like HSTS and HPKP, should be implemented by the infra team indeed; for others like CSP, referrer policy and other custom headers the various upstream frontends are in a much better position to do that (or document it so we can it to our HTTPd config).

HSTS, HPKP and CSP have been on the table for a while, see old infra call minutes; for the rest we need to have hints from the various upstream teams. They might need to refactor their code accordingly too, for instance isolate the CSS/JS code — for some, like Nextcloud, it's already in place; for the rest we need to wait for new releases.