New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Better Configuration of nginx #564

Merged
merged 3 commits into from Nov 28, 2018

Conversation

Projects
None yet
5 participants
@frju365
Copy link
Member

frju365 commented Oct 19, 2018

The problem

  • Path-traversal not fixed (not really vulnerable in these cases)
  • "Nested "add_header" drops parent headers." (Gixy test)

Solution

PR Status

Tested (production + gixy tests). Need review.

How to test

...

Validation

  • Principle agreement 1/2 : Josué
  • Quick review 0/1 :
  • Simple test 0/1 :
  • Deep review 0/1 :

frju365 added some commits Oct 19, 2018

@frju365

This comment has been minimized.

Copy link
Member Author

frju365 commented Nov 15, 2018

I forgot to say : but to test it you can use this website : https://securityheaders.com/

@Josue-T
Copy link
Contributor

Josue-T left a comment

Don't have time to test but look good for me.

@silkevicious

This comment has been minimized.

Copy link
Contributor

silkevicious commented Nov 15, 2018

Hi everyone.

I checked my YNH installation (both the "stable" release and the "testing" release) with the security headers.

It's not that bad actually, i got an A, we're missing the Referrer-Policy and the Feature-Policy ( https://securityheaders.com/?q=luras.space&hide=on&followRedirects=on ), but the rest looks good, i think?!

For reference, in order to improve even more, i've looked at that website headers: https://securityheaders.com/?q=https%3A%2F%2Fsecurityheaders.com%2F&hide=on&followRedirects=on

Maybe contains some hint! Hope it helps!

@frju365

This comment has been minimized.

Copy link
Member Author

frju365 commented Nov 15, 2018

Yeah, I know. For referrer : we disabled it. Perhaps it was too strict.
For feature-policy, it's quite new. I will perhaps see the topic, but after this PR.

@zamentur
Copy link
Contributor

zamentur left a comment

LGTM reviewed but untested

@alexAubin alexAubin added this to the 3.4.x milestone Nov 22, 2018

@alexAubin alexAubin merged commit 8cb029a into YunoHost:stretch-unstable Nov 28, 2018

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

@frju365 frju365 deleted the frju365:patch-12 branch Nov 28, 2018

alexAubin added a commit that referenced this pull request Jan 30, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment