MapComplete/MapComplete
MapComplete/MapComplete
5
11
Fork 6
Code Issues 200 Pull requests 3 Releases Activity Actions

Adopt / implement modern internet standards for mapcomplete.org #2627

New issue
Open
opened 2026-01-12 20:54:04 +00:00 by wouterko · 7 comments
wouterko commented 2026-01-12 20:54:04 +00:00
Copy link

Hi, I am a frequent user of mapcomplete. It would be great if mapcomplete.org would implement some of the modern internet standards promoted by amongst others internet.nl. This makes the website more robust, available and supportive towards the future internet.

See test results:

https://internet.nl/site/mapcomplete.org/3673105/
https://internet.nl/site/www.mapcomplete.org/3673083/
https://internet.nl/mail/mapcomplete.org/1717236/
https://internet.nl/mail/www.mapcomplete.org/1717240/ (this mailtest is relevant to prevent e-mail spoofing from @www.mapcomplete.org)

While not all individual tests may be relevant per se for mapcomplete.org, I've listed the, in my opinion, most important ones in the table below.

  • IPv6 makes the site available on modern connections apart from the older IPv4. Since IPv4 is less and less available, it is key for future accessibility of the site (especially from the Global South) (medium, dependent on hosting provider)
  • DNSSEC Protects against some fundamental DNS design flaws. See: https://www.namecheap.com/support/knowledgebase/subcategory/2232/dnssec/ (medium/hard, dependent on hosting provider)
  • HSTS the Strict-Transport-Security HTTP-header, which upgrades http > https without possibility of MITM (still trust on first use, easy)
  • CAA Restricts what CA's can issue TLS certificates, done by adding DNS records (easy)
  • CSP the Content-Security-Policy HTTP-header that restricts browser functions to those needed by the site (hard to get it perfect, easy to start with a relaxed CSP)
  • security.txt File that should be published at /.well-known/security.txt to aid in vulnerability disclosure processes (see for example https://openstreetmap.org/.well-known/security.txt (easy)
  • DMARC, SPF Prevent e-mail spoofing (along with DKIM), added through DNS (easy/medium)
  • DANE E-mail cert pinning/'HSTS for e-mail', dependent on hosting provider and requires frequent updating (so should be automated) (hard)

Thanks!

Hi, I am a frequent user of mapcomplete. It would be great if mapcomplete.org would implement some of the modern internet standards promoted by amongst others internet.nl. This makes the website more robust, available and supportive towards the future internet. See test results: https://internet.nl/site/mapcomplete.org/3673105/ https://internet.nl/site/www.mapcomplete.org/3673083/ https://internet.nl/mail/mapcomplete.org/1717236/ https://internet.nl/mail/www.mapcomplete.org/1717240/ (this mailtest is relevant to prevent e-mail spoofing from @www.mapcomplete.org) While not all individual tests may be relevant per se for mapcomplete.org, I've listed the, in my opinion, most important ones in the table below. - [x] **IPv6** makes the site available on modern connections apart from the older IPv4. Since IPv4 is less and less available, it is key for future accessibility of the site (especially from the Global South) (medium, dependent on hosting provider) - [x] **DNSSEC** Protects against some fundamental DNS design flaws. See: https://www.namecheap.com/support/knowledgebase/subcategory/2232/dnssec/ (medium/hard, dependent on hosting provider) - [x] **HSTS** the `Strict-Transport-Security` HTTP-header, which upgrades http > https without possibility of MITM (still trust on first use, easy) - [x] **CAA** Restricts what CA's can issue TLS certificates, done by adding DNS records (easy) - [x] **CSP** the `Content-Security-Policy` HTTP-header that restricts browser functions to those needed by the site (hard to get it perfect, easy to start with a relaxed CSP) - [x] **security.txt** File that should be published at /.well-known/security.txt to aid in vulnerability disclosure processes (see for example https://openstreetmap.org/.well-known/security.txt (easy) - [ ] **DMARC, SPF** Prevent e-mail spoofing (along with DKIM), added through DNS (easy/medium) - [ ] **DANE** E-mail cert pinning/'HSTS for e-mail', dependent on hosting provider and requires frequent updating (so should be automated) (hard) Thanks!
pietervdvn commented 2026-01-12 22:47:19 +00:00
Owner
Copy link

I'm adding IPv6 addresses for the hetzner-hosted items. One server (cache.mapcomplete.org) lives on a residential, IPv4 connection.

@Thibaultmol What is the IPv6 address of panoramax.mapcomplete.org ? (Run ip addr in the terminal and paste the output here)

I'm adding IPv6 addresses for the hetzner-hosted items. One server (cache.mapcomplete.org) lives on a residential, IPv4 connection. @Thibaultmol What is the IPv6 address of panoramax.mapcomplete.org ? (Run `ip addr` in the terminal and paste the output here)
Thibaultmol commented 2026-01-15 08:29:20 +00:00
Owner
Copy link

2a01:4f8:c2c:3cfe::1/64

2a01:4f8:c2c:3cfe::1/64
👍 1
pietervdvn commented 2026-01-19 12:47:35 +00:00
Owner
Copy link

DNSSEC turned out to be a single checkbox to check at namecheap...

DNSSEC turned out to be a single checkbox to check at namecheap...
pietervdvn commented 2026-01-26 15:36:30 +00:00
Owner
Copy link

I will not enable HSTS; this might brick the website completely if the SSL ever gets broken. See this comment. Caddy (on my end) forces users to HTTPS anyway. Browsers nowadays will attempt to use HTTPS first anyway (Firefox does this since ~1year)

I will not enable HSTS; this might brick the website completely if the SSL ever gets broken. See [this comment](https://github.com/caddyserver/caddy/issues/4751#issuecomment-1113617127). Caddy (on my end) forces users to HTTPS anyway. Browsers nowadays will attempt to use HTTPS first anyway ([Firefox does this since ~1year](https://support.mozilla.org/en-US/kb/https-first))
pietervdvn commented 2026-01-26 15:54:54 +00:00
Owner
Copy link

CSP is handled by setting this in every HTML file with a script. It is impossible to do this via the caddy configuration file: every HTML file has a different set of sources it might connect to (depending on background layers and some special features). This set of URLs is also quite dynamic as the repository of useable background layers has quite some movement.

CSP is handled by setting this in every HTML file with a script. It is impossible to do this via the caddy configuration file: every HTML file has a different set of sources it might connect to (depending on background layers and some special features). This set of URLs is also quite dynamic as the [repository of useable background layers](https://github.com/osmlab/editor-layer-index/) has quite some movement.
👍 1
pietervdvn commented 2026-01-26 16:21:48 +00:00
Owner
Copy link

security.txt is deployed on the develop branch (and will eventually also be on the main version)

[security.txt](https://dev.mapcomplete.org/.well-known/security.txt) is deployed on the develop branch (and will eventually also be on the main version)
wouterko commented 2026-02-04 20:50:39 +00:00
Author
Copy link

Thank you very much for taking the time to fix this!! Already great score on the web test now!

@pietervdvn wrote in #2627 (comment):

I will not enable HSTS; this might brick the website completely if the SSL ever gets broken. See this comment. Caddy (on my end) forces users to HTTPS anyway. Browsers nowadays will attempt to use HTTPS first anyway (Firefox does this since ~1year)

I get the viewpoint, yet "this might brick the website completely if the SSL ever gets broken" in my perspective is a feature not a bug. The reason: client-side attempted HTTPS-first is very good, but HSTS is recommended since the client is still vulnerable to man-in-the-middle downgrade attacks (for example by shady wifi networks). Since the client would just continue over HTTP, the connection is now unencrypted. HSTS solves this by caching this "HTTPS-only" property in the browser, making all following connections protected for downgrade attacks. By default, HSTS requires still "trust on first use". If you would want to have no need for trust on first use, you can use the HSTS preload directive: https://hstspreload.org/

Due to HTTPS and replacing certs being so trivial these days, I think the downsides are minimal. If you ever need to get rid of HTTPS for any reason, you could temporarily serve a HSTS header with max-age=0. This resets the cache when someone visits the site.

Just my 2 cents on the topic.

@pietervdvn wrote in #2627 (comment):

security.txt is deployed on the develop branch (and will eventually also be on the main version)

Very nice! Just a small remark: the e-mail address should be preceded with mailto: (according to the RFC this has to be a valid URI)

Thank you very much for taking the time to fix this!! Already great score on the web test now! @pietervdvn wrote in https://source.mapcomplete.org/MapComplete/MapComplete/issues/2627#issuecomment-6221: > I will not enable HSTS; this might brick the website completely if the SSL ever gets broken. See [this comment](https://github.com/caddyserver/caddy/issues/4751#issuecomment-1113617127). Caddy (on my end) forces users to HTTPS anyway. Browsers nowadays will attempt to use HTTPS first anyway ([Firefox does this since ~1year](https://support.mozilla.org/en-US/kb/https-first)) I get the viewpoint, yet "this might brick the website completely if the SSL ever gets broken" in my perspective is a _feature_ not a bug. The reason: client-side attempted HTTPS-first is very good, but HSTS is recommended since the client is still vulnerable to man-in-the-middle downgrade attacks (for example by shady wifi networks). Since the client would just continue over HTTP, the connection is now unencrypted. HSTS solves this by caching this "HTTPS-only" property in the browser, making all following connections protected for downgrade attacks. By default, HSTS requires still "trust on first use". If you would want to have no need for trust on first use, you can use the HSTS preload directive: https://hstspreload.org/ Due to HTTPS and replacing certs being so trivial these days, I think the downsides are minimal. If you ever need to get rid of HTTPS for any reason, you could temporarily serve a HSTS header with max-age=0. This resets the cache when someone visits the site. Just my 2 cents on the topic. @pietervdvn wrote in https://source.mapcomplete.org/MapComplete/MapComplete/issues/2627#issuecomment-6225: > [security.txt](https://dev.mapcomplete.org/.well-known/security.txt) is deployed on the develop branch (and will eventually also be on the main version) Very nice! Just a small remark: the e-mail address should be preceded with mailto: (according to the RFC this has to be a valid URI)
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
develop
master
Robin-patch-1
feature/multiselect
Robin-patch-2
build/provincie_antwerpen
refactoring/streets
feature/offline-fg-data
feature/traffic-signs
build/openlovemap
layer/verkeersbordendatabank
fix/photosphere-walk
script/eli-health-report
build/velopark
feature/narrowboat
v0.57.5
v0.57.4
v0.57.3
v0.57.2
v0.57.1
v0.57.0
v0.56.7
v0.56.6
v0.56.5
v0.56.4
v0.56.3
v0.56.2
v0.56.1
v0.56.0
v0.55.7
v0.55.6
v0.55.5
v0.55.4
v0.55.3
v0.55.2
v0.55.1
v0.54.7
exp-0.54.6
v0.54.6
v0.54.5
v0.54.4
v0.54.3
v0.54.2-experimental-2
v0.54.3-experimental-insets
v0.54.2
v0.54.1
v0.54.0
v0.53.19
v0.53.18
v0.53.17
v0.53.16
v0.53.15
v0.53.14
v0.53.13
v0.53.12
v0.53.11
v0.53.10
v0.53.9
v0.53.8
v0.53.7
v0.53.6
v0.53.5
v0.53.4
v0.53.3
v0.53.2
v0.53.1
v0.53.0
v0.52.18
v0.52.17
v0.52.16
v0.52.15
v0.52.14
v0.52.13
v0.52.12
v0.52.11
v0.52.10
v0.52.9
v0.52.8
v0.52.7
v0.52.6
v0.52.5
v0.52.4
v0.52.3
v0.52.2
v0.52.1
v0.51.22
v0.51.21
v0.51.20
v0.51.19
v0.51.18
v0.51.17
v0.51.16
v0.52.0
v0.51.15
v0.51.14
v0.51.13
v0.51.12
v0.51.11
v0.51.10
v0.51.9
v0.51.7
v0.51.6
v0.51.5b
v0.51.5a
v0.51.5
v0.51.4
v0.52.3-b
v0.52.3-a
v0.51.3
v0.51.2
v0.51.1
v0.51.0
v0.50.8
v0.50.7
v0.50.6
v0.50.5
v0.50.4
v0.50.3
v0.50.2
v0.50.1
v0.50.0
v0.49.0
v0.48.8
v0.48.7
v0.48.6
v0.48.5
v0.48.4
v0.48.3
v0.48.2
v0.48.1
v0.48.0
v0.47.14
v0.47.13
v0.47.12
v0.47.11
v0.47.10
v0.47.9
v0.47.8
v0.47.7
v0.47.6
v0.47.5
v0.47.4
v0.46.12
v0.46.11
v0.46.10
v0.47.2
v0.47.1
v0.47.0
v0.46.9
v0.46.8
v0.46.7
Labels
Clear labels   
Android-shell

Label for issues related to the android shell

  
awaiting feedback

We are waiting for the OP to get back to us, e.g. with an example

  
awaiting fix confirmation

We are waiting for OP to confirm that the fix worked for them (or will close when they don't reply)

  
bug

Something isn't working

  
enhancement

New feature or request

  
Help Wanted

Extra attention is needed

  
high-priority

It's urgent!

  
huge

A huge task, preferably to do with funding

  
low-priority

Might be fixed one day... or not

  
Meta

Something that cannot be fixed by code

  
NLNet

Will be developed, funded by NLNet

  
OSOC21:Cycling-OVL

A feature specific for this project

  
Performance

Make things faster or leaner

  
question

Further information is requested

  
search-ui-enhancement

Related to the search functionality

  
Studio

Graphical user interface to create or edit themes and layers

  
Tailwind

Something related to the CSS-framework

  
Themes

A new theme idea or improvement to an already existing theme

  
UI

Related to the user interface

  
upstream-issue

An issue that should be fixed in an upstram library

  
usertest

Issues surfaced during usertests

No labels
Android-shell
awaiting feedback
awaiting fix confirmation
bug
enhancement
Help Wanted
high-priority
huge
low-priority
Meta
NLNet
OSOC21:Cycling-OVL
Performance
question
search-ui-enhancement
Studio
Tailwind
Themes
UI
upstream-issue
usertest
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
MapComplete/MapComplete#2627
No description provided.