Summary
Missing critical security headers in nginx configuration expose the site to SSL stripping attacks, XSS attacks, and information leakage.
Location
infrastructure/ansible/playbooks/20-deploy-everythingshouldbevirtual.yml (lines 222-226)
Description
The nginx configuration is missing several critical security headers:
- HSTS (HTTP Strict Transport Security)
- CSP (Content Security Policy)
- Referrer-Policy
- Permissions-Policy
Impact
- SSL Stripping Attacks: Without HSTS, attackers can downgrade HTTPS to HTTP
- XSS Attacks: Missing CSP allows inline scripts and unrestricted script sources
- Information Leakage: Missing Referrer-Policy may leak sensitive URL data
Remediation
Add security headers to nginx configuration:
- Strict-Transport-Security
- Content-Security-Policy
- Referrer-Policy
- Permissions-Policy
Priority
P2 (Medium) - Should be addressed in next maintenance cycle
References
- OWASP Secure Headers Project
- CWE-693: Protection Mechanism Failure
Summary
Missing critical security headers in nginx configuration expose the site to SSL stripping attacks, XSS attacks, and information leakage.
Location
infrastructure/ansible/playbooks/20-deploy-everythingshouldbevirtual.yml(lines 222-226)Description
The nginx configuration is missing several critical security headers:
Impact
Remediation
Add security headers to nginx configuration:
Priority
P2 (Medium) - Should be addressed in next maintenance cycle
References