feat(webserver): hardened security headers, disabled tls1.0 and tls1.…

…1 for non-legacy SSL config BREAKING CHANGE: If you are using SSL in your project, TLSv1.0 and TLSv1.1 has been disabled for all responses - only TLSv1.2 is served. If you still need older ciphers, consider using `app['webserver']['ssl_for_legacy_browsers']` configuration option.
ajgon · Jul 17, 2018 · 8351d58 · 8351d58
1 parent 07d3336
commit 8351d58
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 3 deletions.
diff --git a/templates/default/appserver.apache2.passenger.conf.erb b/templates/default/appserver.apache2.passenger.conf.erb
@@ -35,6 +35,7 @@ Header always unset "X-Powered-By"
     Header set Access-Control-Allow-Origin "*"
     Header set Access-Control-Allow-Methods "GET, PUT, POST, DELETE"
     Header set Access-Control-Expose-Headers "ETag"
+    Header set X-Content-Type-Options "nosniff"
     </Location>
 
 <% if @appserver_config[:max_pool_size] -%>
@@ -87,11 +88,12 @@ SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
 
   <% if @out[:ssl_for_legacy_browsers] -%>
   SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
+  SSLProtocol All -SSLv2 -SSLv3
   <% else %>
   SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
+  SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
   <% end %>
 
-  SSLProtocol All -SSLv2 -SSLv3
   SSLHonorCipherOrder On
   SSLCompression off
   SSLUseStapling on
@@ -115,6 +117,7 @@ SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
     Header set Access-Control-Allow-Origin "*"
     Header set Access-Control-Allow-Methods "GET, PUT, POST, DELETE"
     Header set Access-Control-Expose-Headers "ETag"
+    Header set X-Content-Type-Options "nosniff"
   </Location>
 
 <% if @appserver_config[:max_pool_size] -%>

diff --git a/templates/default/appserver.apache2.upstream.conf.erb b/templates/default/appserver.apache2.upstream.conf.erb
@@ -32,6 +32,7 @@ Listen <%= @out[:port] %>
     Header set Access-Control-Allow-Origin "*"
     Header set Access-Control-Allow-Methods "GET, PUT, POST, DELETE"
     Header set Access-Control-Expose-Headers "ETag"
+    Header set X-Content-Type-Options "nosniff"
   </Location>
 
   RewriteEngine on
@@ -88,11 +89,12 @@ SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
 
   <% if @out[:ssl_for_legacy_browsers] -%>
   SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
+  SSLProtocol All -SSLv2 -SSLv3
   <% else %>
   SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
+  SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
   <% end %>
 
-  SSLProtocol All -SSLv2 -SSLv3
   SSLHonorCipherOrder On
   SSLCompression off
   SSLUseStapling on
@@ -116,6 +118,7 @@ SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
     Header set Access-Control-Allow-Origin "*"
     Header set Access-Control-Allow-Methods "GET, PUT, POST, DELETE"
     Header set Access-Control-Expose-Headers "ETag"
+    Header set X-Content-Type-Options "nosniff"
   </Location>
 
   RewriteEngine on

diff --git a/templates/default/appserver.nginx.conf.erb b/templates/default/appserver.nginx.conf.erb
@@ -84,14 +84,15 @@ server {
 
   <% if @out[:ssl_for_legacy_browsers] -%>
   ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
   <% else -%>
   ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+  ssl_protocols TLSv1.2;
     <% if Gem::Version.new(node['nginx']['version']) >= Gem::Version.new('1.1.0') -%>
   ssl_ecdh_curve secp384r1;
     <% end -%>
   <% end -%>
 
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
   ssl_prefer_server_ciphers on;
   ssl_session_cache shared:SSL:10m;
   <% if Gem::Version.new(node['nginx']['version']) >= Gem::Version.new('1.5.9') -%>