-
Notifications
You must be signed in to change notification settings - Fork 42
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add some more security headers #111
Comments
Sounds good, although |
Should the default be on like Strict Transport? |
"WARNING! This header must be carefully planned before deploying it on production website as it could easily break stuff and prevent a website to load it’s content!" So probably not, maybe just in report mode? I bet that first deployments of the role aren't "production ready" and might be used to test it, so enabling content security policy right off the bat might break things. |
Good to know lol. I'll work on this over the weekend or next week. |
Yeah... That's also why there's currently no HPKP support in the role, but that would require at least one more private RSA key set up for the eventual certificate (backup). That will take some planning and coordination with |
Should the headers be added to |
They should be only in the HTTPS section of the default nginx template. The HTTP section realistically should only send a redirect to HTTPS, since it can be intercepted (plaintext), so you want to redirect the client to HTTPS and then send the rest over the secure connection. |
Sounds good! I tested the following headers:
These work fine. Although we need some nginx version detection code for the |
This is what I'm adding in the default template right now.
Does it make sense to you? This would enforce everything over https by default if you turn it on. |
With Content Security Policy, i would use these variables:
The |
What should the default be? |
Same origin sounds like a good default. |
…1; mode=block`. `1; mode=block` seems to be the more common and more secure value `X-XSS-Protection`. Refs: * https://github.com/helmetjs/x-xss-protection * https://gist.github.com/plentz/6737338 * https://doc.owncloud.org/server/9.0/admin_manual/configuration_server/harden_server.html#serve-security-related-headers-by-the-web-server * curl -I google.de (interestingly, google.com does not have it) Related to: debops#111 @carlalexander Are you OK with this change?
I can do a PR for this, but not sure how you want to handle it. There are some extra security headers we can set to harden nginx. They're described here.
Would we want this by default for https configurations?
The text was updated successfully, but these errors were encountered: