Hardening Kraken

Sw4mp_fox edited this page Jan 20, 2017 · 9 revisions

For more detailed security information on Django, see their security documentation.

HTTPS

  1. Activate Apache's SSL Module

     sudo a2enmod ssl
    
     sudo service apache2 restart
    
  2. Install SSL/TLS certificate and key

    Either place your own certificate and key pair or create a self-signed pair. Keep in mind that self-signed certificates are, arguably, not a security improvement from having no transport security. It is best to use a valid, verifiable certificate that users do not have to manually accept. Place the certificate key pair in:

     sudo mkdir /etc/apache2/ssl
    

    Optional: If you need to create a self-signed certificate:

     sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt
    
  3. Add the following lines to Krakens entry in /etc/apache2/sites-available/000-default.conf

    SSLEngine on

    SSLCertificateFile "/etc/apache2/ssl/apache.crt"

    SSLCertificateKeyFile "/etc/apache2/ssl/apache.key"

After restarting the apache2 service, HTTPS will be required to access Kraken.

Enable Security Headers

Uncomment lines 30-33 of the /opt/Kraken/Kraken/settings.py. These settings make the application more secure when SSL/TLS is enable. Below are the configuration changes that these settings make:

  • Enable the Secure flag on session tokens
  • Issue CSRF tokens
  • Enables HTTP Strict Transport Security

Turn Off Verbose Errors

Verbose error messages are informative during development or while debugging the app while in the field as a tester, but should be disabled if ran on a production server as a fixed asset. Change the DEBUG variable on line 23 to False in /opt/Kraken/Kraken/settings.py to disable verbose error messages.

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.