Public Read-only Gateway XSS Mitigation

Hello there,

I have a public ipfs read-only gateway node, which I’m using for serving only the static files like json/jpg/mp4.
I’ve read about the possibility of XSS attacks on my public gateway so my users may be affected from it.
I’ve looked into Address IPFS on the Web | IPFS Docs
but I think I don’t need subdomain gateways to mitigate the issue because I’m not hosting any web applications or websites from my gateway.

My current node configuration is like this but I can’t be sure if I’m doing it right.

  "Gateway": {
    "HTTPHeaders": {
      "Access-Control-Allow-Headers": [
        "X-Requested-With",
        "Range",
        "User-Agent"
      ],
      "Access-Control-Allow-Methods": [
        "GET"
      ],
      "Access-Control-Allow-Origin": [
        "https://ipfs.io"
      ]
    },
    "RootRedirect": "",
    "Writable": false,
    "PathPrefixes": [],
    "APICommands": [],
    "NoFetch": true,
    "NoDNSLink": false,
    "PublicGateways": {
      "dweb.link": {
        "UseSubdomains": true,
        "Paths": ["/ipfs", "/ipns"]
      }
    }
  },

Any clarification in this topic would be helpful.
Thanks !

At this point, XSS isn’t even an issue.

If you aren’t hosting any app on the gateway I guess that mean you are only serving static files.
And gateways does not allow registering web workers that could modify the content, so the static files can’t be touched by the xss.
In other words, is an xss that can do nothing an issue ? (no it isn’t)

If you are using it to host an app, you are right, you need a subdomain based one.

Thank you !
But how can I ensure that I’m only serving the static files in my local storage ?
Not some other CID from let’s say malicious IPFS node

You can use the no fetch option in the config.

That means the IPFS gateway will only serve files present in it’s datastore and not download from the IPFS network (that require you to pin the files first, else they wont be present and it would fail).

I understand thank you.

Just to understand correctly, if I were to serve files from another nodes then I should enforce site isolation. Let’s say I’ve registered my gateway at mypublicgateway.com and serving content at mypublicgateway.com/ipfs/<CID> path. In this case I just have to add the following to my gateway configuration, right ?

Gateway.PublicGateways '{
    "http://mypublicgateway.com": {
      "UseSubdomains": true,
      "Paths": ["/ipfs"]
    }
  }'

I don’t know the details, I do everything using reverse proxy rewriting on my gateway.