Context
OpenSSF Best Practices asks projects to consider secure delivery of project sites. Registry Stack has a public docs site, but the repo does not currently track a public decision about HTTP security headers for that site.
Scope
- Inventory which security headers are currently applied to the public docs site, without publishing private hosting details.
- Decide which headers are appropriate for a static documentation site, such as HSTS, Content-Security-Policy, Referrer-Policy, X-Content-Type-Options, and Permissions-Policy.
- If the repo owns the deployment header config, add it and verify it.
- If headers are controlled outside the repo, document the public expectation and the verification command instead.
Done when
- The repo has a public issue or doc decision for docs-site security headers.
- The chosen headers are either configured in repo or documented as an operator/deployment requirement.
- A repeatable check or manual verification command is documented.
Non-goals
- Do not expose private hosting provider settings, deployment credentials, or internal infrastructure notes.
Context
OpenSSF Best Practices asks projects to consider secure delivery of project sites. Registry Stack has a public docs site, but the repo does not currently track a public decision about HTTP security headers for that site.
Scope
Done when
Non-goals