Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Better security defaults #3

Open
nicorikken opened this issue Feb 11, 2017 · 15 comments
Open

Better security defaults #3

nicorikken opened this issue Feb 11, 2017 · 15 comments
Labels
enhancement

Comments

@nicorikken
Copy link
Member

The current security rating for the deployed Freedomvote.nl setup is quite poor: https://observatory.mozilla.org/analyze.html?host=freedomvote.nl The same goes for the original Swiss version. I have to find out how to improve this, and then I can put it in the settings.
@nicorikken
Copy link
Member Author

Based on the advise of https://cipherli.st/ I added some headers to the 433 section of the Nginx config:

add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

That bumped the rating from a D to a C+.
It seems mainly configurations in Django will be the next level of improvement.

@andreabettich
Copy link

Usefull resource for django
https://docs.djangoproject.com/en/1.8/howto/deployment/checklist/#https

@nicorikken
Copy link
Member Author

Also Maurice referred this manual: https://docs.djangoproject.com/en/1.10/ref/clickjacking/

@nicorikken nicorikken reopened this Feb 12, 2017
@nicorikken
Copy link
Member Author 

System check identified some issues:

WARNINGS:
?: (security.W001) You do not have 'django.middleware.security.SecurityMiddleware' in your MIDDLEWARE_CLASSES so the SECURE_HSTS_SECONDS, SECURE_CONTENT_TYPE_NOSNIFF, SECURE_BROWSER_XSS_FILTER, and SECURE_SSL_REDIRECT settings will have no effect.
?: (security.W002) You do not have 'django.middleware.clickjacking.XFrameOptionsMiddleware' in your MIDDLEWARE_CLASSES, so your pages will not be served with an 'x-frame-options' header. Unless there is a good reason for your site to be served in a frame, you should consider enabling this header to help prevent clickjacking attacks.
?: (security.W012) SESSION_COOKIE_SECURE is not set to True. Using a secure-only session cookie makes it more difficult for network traffic sniffers to hijack user sessions.
?: (security.W016) You have 'django.middleware.csrf.CsrfViewMiddleware' in your MIDDLEWARE_CLASSES, but you have not set CSRF_COOKIE_SECURE to True. Using a secure-only CSRF cookie makes it more difficult for network traffic sniffers to steal the CSRF token.
?: (security.W017) You have 'django.middleware.csrf.CsrfViewMiddleware' in your MIDDLEWARE_CLASSES, but you have not set CSRF_COOKIE_HTTPONLY to True. Using an HttpOnly CSRF cookie makes it more difficult for cross-site scripting attacks to steal the CSRF token.

@nicorikken
Copy link
Member Author

nicorikken commented Feb 12, 2017
edited

Having added the 2 suggested middelwares:

$ python manage.py check --deploy
System check identified some issues:

WARNINGS:
?: (security.W004) You have not set a value for the SECURE_HSTS_SECONDS setting. If your entire site is served only over SSL, you may want to consider setting a value and enabling HTTP Strict Transport Security. Be sure to read the documentation first; enabling HSTS carelessly can cause serious, irreversible problems.
?: (security.W006) Your SECURE_CONTENT_TYPE_NOSNIFF setting is not set to True, so your pages will not be served with an 'x-content-type-options: nosniff' header. You should consider enabling this header to prevent the browser from identifying content types incorrectly.
?: (security.W007) Your SECURE_BROWSER_XSS_FILTER setting is not set to True, so your pages will not be served with an 'x-xss-protection: 1; mode=block' header. You should consider enabling this header to activate the browser's XSS filtering and help prevent XSS attacks.
?: (security.W008) Your SECURE_SSL_REDIRECT setting is not set to True. Unless your site should be available over both SSL and non-SSL connections, you may want to either set this setting True or configure a load balancer or reverse-proxy server to redirect all connections to HTTPS.
?: (security.W012) SESSION_COOKIE_SECURE is not set to True. Using a secure-only session cookie makes it more difficult for network traffic sniffers to hijack user sessions.
?: (security.W016) You have 'django.middleware.csrf.CsrfViewMiddleware' in your MIDDLEWARE_CLASSES, but you have not set CSRF_COOKIE_SECURE to True. Using a secure-only CSRF cookie makes it more difficult for network traffic sniffers to steal the CSRF token.
?: (security.W017) You have 'django.middleware.csrf.CsrfViewMiddleware' in your MIDDLEWARE_CLASSES, but you have not set CSRF_COOKIE_HTTPONLY to True. Using an HttpOnly CSRF cookie makes it more difficult for cross-site scripting attacks to steal the CSRF token.
?: (security.W019) You have 'django.middleware.clickjacking.XFrameOptionsMiddleware' in your MIDDLEWARE_CLASSES, but X_FRAME_OPTIONS is not set to 'DENY'. The default is 'SAMEORIGIN', but unless there is a good reason for your site to serve other parts of itself in a frame, you should change it to 'DENY'.

@nicorikken
Copy link
Member Author

Apparently there are no sane defaults, and I'll have to add them myself.

@nicorikken
Copy link
Member Author

So finally I added these settings:

# Security settings added later on
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True  
SESSION_COOKIE_HTTPONLY = True
SECURE_HSTS_SECONDS = 3600 #Perhaps increase later on
SECURE_CONTENT_TYPE_NOSNIFF = True
SECURE_BROWSER_XSS_FILTER = True
SECURE_SSL_REDIRECT = True 
X_FRAME_OPTIONS = 'DENY'

@andreabettich
Copy link

We could combine this issues with the issue freedomvote/freedomvote#73 and add those settings to a production configuration.

@nicorikken
Copy link
Member Author

Somehow I'm not getting the benefits in the automated Mozilla ratings. SSL Labs is giving an A rating though.

@nicorikken
Copy link
Member Author

Certainly!
Added middleware:

    'django.middleware.security.SecurityMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',

@nicorikken
Copy link
Member Author

According to my Firefox developer tools:
screenshot from 2017-02-13 00-21-29

@annejan
Copy link

annejan commented Feb 14, 2017

Error: Multiple HSTS headers
Response error: Multiple HSTS headers (number of HSTS headers: 2).

https://hstspreload.org/?domain=freedomvote.nl

@andreabettich
Copy link

andreabettich commented Feb 14, 2017
edited

I get two strict-transport-security,x-content-type-options,X-Frame-Options on Google Chrome
image

@andreabettich andreabettich mentioned this issue Feb 14, 2017
Open
@nicorikken
Copy link
Member Author

I guess having X-Frame-Options both in Nginx and Django could be the issue. I'll switch them off at Django and see what I get.

@nicorikken
Copy link
Member Author

Much better, thanks @annejan ! I unset the SECURE_HSTS_SECONDS configuration in the Django settings, and this fixes the HTST issue, and bumps the security rating of Mozilla to a B. I had the same issue for SECURE_CONTENT_TYPE_NOSNIFF for which the header was also already set by Nginx. Not that is resolved as well. https://securityheaders.io/?q=freedomvote.nl&hide=on&followRedirects=on

Better than a prominent Dutch voting website Kieskompas (D): https://observatory.mozilla.org/analyze.html?host=kieskompas.nl

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@annejan @andreabettich @nicorikken