Add basic security #54
Comments
|
Can you quickly sum up what this does?
|
|
It adds some security headers as e.g. described here: https://scotthelme.co.uk/hardening-your-http-response-headers/
You can then check your website on securityheaders.io, e.g.: https://securityheaders.io/?q=https%3A%2F%2Fhostingwerk.de&followRedirects=on |
|
Yes please! That was somewhere on my list too :) Did you check whether we could use CSP to? We're adding stuff via the |
|
CSP is a lot more complex to implement and probably something that needs to be configured individually. The biggest hurdle are the lots of inline scripts IMO, which we add not only via Therefore this PR only focuses on the basic changes that are implemented quickly. |
|
I like the integration of the bundle, the configuration details might have to be discussed though. |
|
Do I see this correct that this is already implemented in 4.3.7 and max security settings are in effect since there is no contao configuration for this? |
|
Nope: |
|
😳 whoops sorry |
|
Implemented in bb69c02 and contao/manager-bundle@57280b1. |
|
I wanted to change the # app/config/config.yml
# Framework configuration
framework:
session:
cookie_secure: true
cookie_httponly: true
# Security configuration
nelmio_security:
clickjacking:
paths:
'^/.*': DENY
content_type:
nosniff: true
referrer_policy:
enabled: true
policies:
- 'no-referrer'
xss_protection:
enabled: true
mode_block: true
forced_ssl:
hsts_max_age: 31536000
hsts_subdomains: trueI would have expected that the |
|
What's the matter with |
|
The problem is further: I can easily set all those security headers on a global scope by adding the respective directives to the web server configuration. However, if I do that all the headers set by the |
The difference between But the strict version is not supported in all browsers so we should provide a fallback I think: According to the specification the browser should use the last value from the list that it supports. We should test that though. |
This is already mentioned in the https://github.com/nelmio/NelmioSecurityBundle README: …
# Send a full URL in the `Referer` header when performing a same-origin request,
# only send the origin of the document to secure destination (HTTPS->HTTPS),
# and send no header to a less secure destination (HTTPS->HTTP).
# If `strict-origin-when-cross-origin` is not supported, use `no-referrer` policy,
# no referrer information is sent along with requests.
referrer_policy:
enabled: true
policies:
- 'no-referrer'
- 'strict-origin-when-cross-origin'
…https://github.com/nelmio/NelmioSecurityBundle#referrer-policy |
|
But using |
Okay, that |
|
So what do we do? |
|
I think, @ausi's proposal should be fine:
…
referrer_policy:
enabled: true
policies:
- 'origin-when-cross-origin'
- 'strict-origin-when-cross-origin'
… |
|
Added in 1c40bf9 and contao/manager-bundle@d999865. |
I would like to add the NelmioSecurityBundle to our default configuration and configure it with the following basic settings:
These basic settings should apply (and should be applied 😄) to every website.
@contao/developers Any objections?
The text was updated successfully, but these errors were encountered: