OWASP secure headers

Trade-offs · 5

Recommended setting would break legitimate functionality. We accept the finding instead.

• Content-Security-Policy

  OWASP requires CSP without `unsafe-inline` or any `eval` family directive. Two intentional deviations: (1) `unsafe-inline` — Next.js's React hydration requires inline `<script>` tags; eliminating it needs a per-request nonce-based CSP threaded through every render path (substantial refactor that also has to coexist with our 6 third-party scripts: Cloudflare Insights, Sentry, Auth0, Google Ads, Microsoft Clarity, Google Analytics). (2) `wasm-unsafe-eval` — required in production for client-side PDF export (@react-pdf/renderer compiles a WASM font/layout module via WebAssembly.instantiate). This is the narrow modern directive that permits WASM compile/instantiate ONLY — it does NOT permit JS eval(), new Function(), or string-form setTimeout. Removing it breaks PDF export with a CompileError. The broad `unsafe-eval` remains absent from the production CSP.

• Referrer-Policy

  OWASP requires `no-referrer`. We use `strict-origin-when-cross-origin` because Sentry session-replay, Auth0 universal-login callback, and Google Analytics all rely on the Referer header for attribution and correlation. Stripping referrer breaks observability and conversion tracking with no security gain on a same-site product.

• Clear-Site-Data

  OWASP recommends Clear-Site-Data on every response. Applied globally, this wipes cookies/storage on every page load — every navigation logs the user out. We only emit this header on the explicit logout endpoint (workers/api/src/routes/auth/logout/route.ts), where it's the correct behaviour.

• Cross-Origin-Embedder-Policy

  OWASP requires `require-corp`. Setting this breaks the Auth0 universal-login flow (uses cross-origin iframes for the login UI), Google Ads creative iframes, and Cloudflare Turnstile. The hardening it provides (cross-origin isolation for SharedArrayBuffer / high-resolution timers) is irrelevant to our app — we don't use either.

• Cache-Control

  OWASP wants `Cache-Control: no-store, max-age=0` on every response. Applied globally that disables Cloudflare's edge cache for our public content (insights, frameworks, comparisons, etc.) and forces every page render through OpenNext on the worker — slower for users, more expensive at scale. We apply `no-store` selectively on authenticated paths (/admin, /dashboard, /command-center, etc.) where it's correct, and let public content cache. The OWASP test reflects a security-paranoid posture more appropriate for fully-authenticated apps than for content sites with a public surface.