We agreed on #1175 to open an issue to follow up a discussion about the hardening mechanisms for Node.js (cc: @mhdawson @tniessen @RafaelGSS)

Hardening mechanisms SHOULD be used in the software produced by the project so that software defects are less likely to result in security vulnerabilities.

Hardening mechanisms may include HTTP headers like Content Security Policy (CSP), compiler flags to mitigate attacks (such as -fstack-protector), or compiler flags to eliminate undefined behavior. For our purposes least privilege is not considered a hardening mechanism (least privilege is important, but separate).

Context

• Discussion during the last meeting (Minute 18:58)
• Previous discussions and useful links

Potential actions

• Create a document with all the flags and default http headers included in Node.js by default.

This issue is stale because it has been open many days with no activity. It will be closed soon unless the stale label is removed or a comment is made.