Kronos is a WASM filter for Envoy intended to add header security inspired by HelmetJS when serving content to the browser with response headers. Ideally the WASM filter should sit on the pod that is serving traffic to a browser.
To deploy via gloo and wasme:
wasme deploy gloo webassemblyhub.io/haggs/kronos:latest --id=kronos
via istio and wasme:
wasme deploy istio webassemblyhub.io/haggs/kronos:latest --id=kronos
Alternatively you can apply the FilterDeployment resource (see example FilterDeployment)
See an example with detailed instructions in the example directory.
Currently Kronos supports the following headers:
X-XSS_Protection: 1X-XSS-ProtectionX-Frame-Options: SAMEORIGINX-Frame-OptionsX-Content-Type-Options: nosniffX-Content-Type-OptionsX-Download-Options: noopenStrict-Transport-Security: max-age=5184000. Strict Transport Security
WASM Hub Link:
https://webassemblyhub.io/repositories/174/kronos
For more information on security headers see OWASP Secure Headers Project
To test your website for remediation I recommend the Key CDN HTTP Header Checker Tool or comprehensively grade your website with: https://securityheaders.com/