Project

General

Profile

Enhancement #571

Secure HTTP settings

Added by Marc Dequènes over 2 years ago. Updated about 2 years ago.

Status:
Resolved
Priority:
Normal
Category:
Service :: Web
Start date:
2017-06-25
Due date:
% Done:

100%

Estimated time:
Patch Available:
Confirmed:
No
Branch:
Entity:
DuckCorp
Security:
Yes
Help Needed:

Description

Aside from TLS settings there are a few things we could improve.

I would suggest these Apache settings on all web hosts:

Header always set X-Content-Type-Options nosniff
Header always set X-Frame-Options DENY
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" 

We could update /etc/apache2/conf-enabled/security.conf via Ansible (even is Apache is not yet managed).


Related issues

Related to DuckCorp Infrastructure - Enhancement #572: HTTPS for AllResolved2017-06-25

Actions
Related to DuckCorp Infrastructure - Enhancement #602: Deploy Content Security Policy (CSP) and check other security headersIn Progress2017-09-30

Actions

History

#1

Updated by Marc Dequènes over 2 years ago

#2

Updated by Marc Dequènes over 2 years ago

  • Assignee deleted (DC Admins)
#3

Updated by Marc Dequènes over 2 years ago

  • Status changed from New to In Progress

So X-Frame-Options set to DENY is a bit too drastic, and softwares like Roundcube cannot work with it. SAMEORIGIN works fine though.

#4

Updated by Marc Dequènes over 2 years ago

  • % Done changed from 0 to 20
#5

Updated by Marc Dequènes over 2 years ago

  • Assignee set to Marc Dequènes
#6

Updated by Marc Dequènes about 2 years ago

  • % Done changed from 20 to 90

Ansibilized.

If there is no objection I will then close this bug and of course we'll reevaluate from time to time.

#7

Updated by Marc Dequènes about 2 years ago

  • Status changed from In Progress to Resolved
  • % Done changed from 90 to 100

This reading is interesting: https://wiki.mozilla.org/Security/Guidelines/Web_Security

HTTP Public-Key Pinning (HPKP) is another workaround against rogue CAs, but you cannot change your key easily, so you need to prepare backup keys. Also if the problem is linked to the key cipher, then you're totally fraked and cannot update the certificate. This is really as much as a constraint as a protection, so we're not going to implement this.

Content Security Policy (CSP) is interesting and seem well supported by most browsers. It needs to be adapted to the site's needs, so it is not a global policy. I will create a new BR for this experimentation.

#8

Updated by Marc Dequènes about 2 years ago

  • Related to Enhancement #602: Deploy Content Security Policy (CSP) and check other security headers added

Also available in: Atom PDF