New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

leftovers libelektra.org migration #1526

Open
markus2330 opened this Issue Jun 30, 2017 · 3 comments

Comments

Projects
None yet
3 participants
@markus2330
Contributor

markus2330 commented Jun 30, 2017

@tr37ion

This comment has been minimized.

Show comment
Hide comment
@tr37ion

tr37ion Jul 1, 2017

Unfortunately, I'm not using Apache webserver. Though, from reading Apache sources, it should be adding something like this to your httpd.conf

Header set X-XSS-Protection “1; mode=block”
Header always append X-Frame-Options DENY
Header set X-Content-Type-Options nosniff

CSR Policy

If the previous three headers work fine (verify with the scanner I listed in #1505) you can add a CSR policy, to prevent cross-site-attacks. AFAIK the website is not using any external CDN content, then this should be a good working policy.

To test it first, use

Header set Content-Security-Policy-Report-Only "default-src 'self';"

If that works fine, replace that line with

Header set Content-Security-Policy "default-src 'self';"

In short, this header ensures that browsers are only allowed to load content form the website's default URL itself.

HSTS

Additionally, you can add a HSTS header if you like. Adding this means that you have to redirect all HTTP requests to HTTPS by default! If you don't want this, just skip this section. It only tells the visitor's browser that your site will only allow HTTPS connections for the coming 31536000 seconds from the first time visiting your page.

Prior to implementing this header, you must ensure all your website's content is accessible over HTTPS else your browser blocks your site from loading for the future (here max 31536000 seconds). If unsure, you can start with a small max_age=300 (5 minutes) value and then increase the number if scans are working fine.

Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

In conclusion, if you add the first four headers + HSTS the website should be fine. Later you can always be more restrictive with your CSR policy, but for now this should be fine 👌

I hope this helps a bit.

🔥 HPKP

Optionally, you can add a HPKP header, but attention, this is a tricky task and in case of misconfiguration all your users won't be able to access your website anymore. I wouldn't recommend adding it for libelektra.org now. If you are risk-conscious you could do it, but please read into the topic before! --- I warned you 😜

tr37ion commented Jul 1, 2017

Unfortunately, I'm not using Apache webserver. Though, from reading Apache sources, it should be adding something like this to your httpd.conf

Header set X-XSS-Protection “1; mode=block”
Header always append X-Frame-Options DENY
Header set X-Content-Type-Options nosniff

CSR Policy

If the previous three headers work fine (verify with the scanner I listed in #1505) you can add a CSR policy, to prevent cross-site-attacks. AFAIK the website is not using any external CDN content, then this should be a good working policy.

To test it first, use

Header set Content-Security-Policy-Report-Only "default-src 'self';"

If that works fine, replace that line with

Header set Content-Security-Policy "default-src 'self';"

In short, this header ensures that browsers are only allowed to load content form the website's default URL itself.

HSTS

Additionally, you can add a HSTS header if you like. Adding this means that you have to redirect all HTTP requests to HTTPS by default! If you don't want this, just skip this section. It only tells the visitor's browser that your site will only allow HTTPS connections for the coming 31536000 seconds from the first time visiting your page.

Prior to implementing this header, you must ensure all your website's content is accessible over HTTPS else your browser blocks your site from loading for the future (here max 31536000 seconds). If unsure, you can start with a small max_age=300 (5 minutes) value and then increase the number if scans are working fine.

Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

In conclusion, if you add the first four headers + HSTS the website should be fine. Later you can always be more restrictive with your CSR policy, but for now this should be fine 👌

I hope this helps a bit.

🔥 HPKP

Optionally, you can add a HPKP header, but attention, this is a tricky task and in case of misconfiguration all your users won't be able to access your website anymore. I wouldn't recommend adding it for libelektra.org now. If you are risk-conscious you could do it, but please read into the topic before! --- I warned you 😜

@markus2330

This comment has been minimized.

Show comment
Hide comment
@markus2330

markus2330 Nov 5, 2017

Contributor

@BernhardDenner I added a request for a redirection of puppet.libelektra.org (to your project). Ideally, the tutorial/docu you are writing should contain how to create such aliases.

Contributor

markus2330 commented Nov 5, 2017

@BernhardDenner I added a request for a redirection of puppet.libelektra.org (to your project). Ideally, the tutorial/docu you are writing should contain how to create such aliases.

@markus2330

This comment has been minimized.

Show comment
Hide comment
@markus2330

markus2330 Dec 10, 2017

Contributor

@BernhardDenner I added a request for one more redirection, a tutorial would be great :-)

Contributor

markus2330 commented Dec 10, 2017

@BernhardDenner I added a request for one more redirection, a tutorial would be great :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment