Add some more security headers

[carlalexander]

I can do a PR for this, but not sure how you want to handle it. There are some extra security headers we can set to harden nginx. They're described here.

Would we want this by default for https configurations?

[drybjed]

Sounds good, although Content-Security-Policy might need to be configurable. Putting that in the default template seems reasonable.

[carlalexander]

Should the default be on like Strict Transport?

[drybjed]

"WARNING! This header must be carefully planned before deploying it on production website as it could easily break stuff and prevent a website to load it’s content!"

So probably not, maybe just in report mode? I bet that first deployments of the role aren't "production ready" and might be used to test it, so enabling content security policy right off the bat might break things.

[carlalexander]

Good to know lol. I'll work on this over the weekend or next week.

[drybjed]

Yeah... That's also why there's currently no HPKP support in the role, but that would require at least one more private RSA key set up for the eventual certificate (backup). That will take some planning and coordination with debops.pki, though.

[carlalexander]

Should the headers be added to nginx_http_options? Or should they be something separate?

[drybjed]

They should be only in the HTTPS section of the default nginx template. The HTTP section realistically should only send a redirect to HTTPS, since it can be intercepted (plaintext), so you want to redirect the client to HTTPS and then send the rest over the secure connection.

[carlalexander]

Sounds good! I tested the following headers:

add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Xss-Protection "1";

These work fine. Although we need some nginx version detection code for the always argument of add_header. It's only available after version 1.7.5. I also found a guide on Content-Security-Policy. I'll see if I can find a good default value for it that won't make everything explode.

[carlalexander]

This is what I'm adding in the default template right now.

{% if item.csp_enabled is defined and item.csp_enabled %}
        add_header                Content-Security-Policy "{{ item.csp | d('default-src https:;') }}";
{% endif %}
{% if item.csp_reporting_enabled is defined and item.csp_reporting_enabled %}
        add_header                Content-Security-Policy-Report-Only "{{ item.csp_reporting | d(item.csp | d('default-src https:;')) }}";
{% endif %}
        add_header                X-Content-Type-Options "nosniff";
        add_header                X-Frame-Options "SAMEORIGIN";
        add_header                X-Xss-Protection "1";

Does it make sense to you? This would enforce everything over https by default if you turn it on.

[drybjed]

With Content Security Policy, i would use these variables:

• item.csp - bool, if enabled, it enables normal CSP
• item.csp_report - bool, if enabled, it enables only CSP report, not the full version
• item.csp_policy - the actual security policy for both normal and report mode

The X-Frame-Options should also be configurable, if somebody would want to include content from other providers, like Google Maps, or YouTube, for example.

[carlalexander]

What should the default be?

[drybjed]

Same origin sounds like a good default.