Enhancement #571
closed
Secure HTTP settings
100%
Description
Aside from TLS settings there are a few things we could improve.
I would suggest these Apache settings on all web hosts:
Header always set X-Content-Type-Options nosniff Header always set X-Frame-Options DENY Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
We could update /etc/apache2/conf-enabled/security.conf via Ansible (even is Apache is not yet managed).
Updated by Marc Dequènes almost 7 years ago
- Related to Enhancement #572: HTTPS for All added
Updated by Marc Dequènes almost 7 years ago
- Status changed from New to In Progress
So X-Frame-Options set to DENY is a bit too drastic, and softwares like Roundcube cannot work with it. SAMEORIGIN works fine though.
Updated by Marc Dequènes over 6 years ago
- % Done changed from 20 to 90
Ansibilized.
If there is no objection I will then close this bug and of course we'll reevaluate from time to time.
Updated by Marc Dequènes over 6 years ago
- Status changed from In Progress to Resolved
- % Done changed from 90 to 100
This reading is interesting: https://wiki.mozilla.org/Security/Guidelines/Web_Security
HTTP Public-Key Pinning (HPKP) is another workaround against rogue CAs, but you cannot change your key easily, so you need to prepare backup keys. Also if the problem is linked to the key cipher, then you're totally fraked and cannot update the certificate. This is really as much as a constraint as a protection, so we're not going to implement this.
Content Security Policy (CSP) is interesting and seem well supported by most browsers. It needs to be adapted to the site's needs, so it is not a global policy. I will create a new BR for this experimentation.
Updated by Marc Dequènes over 6 years ago
- Related to Enhancement #602: Deploy Content Security Policy (CSP) and check other security headers added