Security Risks Detected – Need Help Configuring Secure Headers in Frappe/ERPNext

Install / Update Security
1

Hi everyone,

While running a security scan on my ERPNext instance, I found the following risks:

:small_orange_diamond: Secure cookies not used
:small_orange_diamond: CSP is not implemented
:small_orange_diamond: HttpOnly cookies not used
:small_orange_diamond: Domain not found on the HSTS preload list
:small_orange_diamond: CAA not enabled

Screenshot 2025-10-31 at 2.12.51 PM
Screenshot 2025-10-31 at 2.12.51 PM1376×1030 36.9 KB

Can someone please guide me on how to fix these issues in Frappe/ERPNext?
I’d like to know:

  1. How to enable Secure and HttpOnly cookies in site_config.json or Nginx.

  2. How to implement a Content Security Policy (CSP) header safely.

  3. How to add my domain to the HSTS preload list.

  4. How to enable CAA records in DNS.

Environment details:

  • Frappe/ERPNext Version: 15

  • Deployment: Bench + Nginx

  • OS: Ubuntu 22.04

Any help or example configurations would be appreciated!

2
  1. Security FAQs
  2. We have configurable CSP as a feature coming soon, till then you could maybe directly set the desired CSP in your nginx (or other proxy’s) config.
  3. You can enable HSTS for your domain wherever you manage your DNS records.
  4. For CAA too, you’ll have to add a DNS record allowing the certificate authorities that you want.