Add some security HTTP Headers

[elnappo]

Adds the following HTTP header (set by Django):

• X-XSS-Protection
• X-Content-Type-Option
• Referrer-Policy

See #281

[elnappo]

Added commit 9723a84 which sets HTTPONLY to CSRF cookies and USE_X_FORWARDED_HOST

[coveralls]

Coverage increased (+0.3%) to 72.699% when pulling 60a3fe5 on elnappo:secure-http into 78616cd on nsupdate-info:master.

[ThomasWaldmann]

today i've updated the prod site to master branch (and also updated dependencies, but still dj 1.11).

if this is finished, we can merge it and try it soon.

[elnappo]

Is ready to merge from my side. Should I add some additional header? CSP is rather complex and error prune. Which headers are currently added by nginx?

[ThomasWaldmann]

nginx now:

1 add_header Strict-Transport-Security "max-age=31536000;";
2 add_header X-Content-Type-Options "nosniff";
3 add_header X-XSS-Protection "1; mode=block";
4 add_header Expect-CT "enforce, max-age=21600";
5 proxy_set_header Host $http_host;
6 proxy_set_header X-Real-IP $remote_addr;
7 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
8 proxy_set_header X-Forwarded-Proto $scheme;

nginx after PR is merged:

1  add_header Strict-Transport-Security "max-age=31536000;";
2* -
3* -
4  add_header Expect-CT "enforce, max-age=21600";
5  proxy_set_header Host $http_host;
6  proxy_set_header X-Real-IP $remote_addr;
7  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
8  proxy_set_header X-Forwarded-Proto $scheme;

@elnappo correct?

Considering 5, guess I don't want USE_X_FORWARDED_HOST = True.
Do you think this should be the default nevertheless?
Shall I rather change 5 into X-Forwarded-Host $http_host and use USE_X_FORWARDED_HOST = True?

[elnappo]

Your'e right, we don't need X-Forwarded-Host. I removed it.

We also could add the Feature-Policy header:

proxy_set_header Feature-Policy "geolocation 'none'; midi 'none'; notifications 'none'; push 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none'; vibrate 'none'; fullscreen 'none'; payment 'none'; xr 'none'; usb 'none'; autoplay 'none'; legacy-image-formats 'none'; wake-lock 'none'";

https://github.com/w3c/webappsec-feature-policy
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
https://scotthelme.co.uk/a-new-security-header-feature-policy/

[ThomasWaldmann]

Our feature policy would read a bit like "fat free, sugar free, gluten free" printed on a bottle of mineral water.

But if it doesn't cause issues, why not have it...

[elnappo]

Yes, unfortunately there is no "deny all" parameter...