Enhancement #571
closed
Added by Marc Dequènes almost 7 years ago.
Updated over 6 years ago.
Description
Aside from TLS settings there are a few things we could improve.
I would suggest these Apache settings on all web hosts:
Header always set X-Content-Type-Options nosniff
Header always set X-Frame-Options DENY
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
We could update /etc/apache2/conf-enabled/security.conf via Ansible (even is Apache is not yet managed).
- Assignee deleted (
DC Admins)
- Status changed from New to In Progress
So X-Frame-Options set to DENY is a bit too drastic, and softwares like Roundcube cannot work with it. SAMEORIGIN works fine though.
- % Done changed from 0 to 20
- Assignee set to Marc Dequènes
- % Done changed from 20 to 90
Ansibilized.
If there is no objection I will then close this bug and of course we'll reevaluate from time to time.
- Status changed from In Progress to Resolved
- % Done changed from 90 to 100
This reading is interesting: https://wiki.mozilla.org/Security/Guidelines/Web_Security
HTTP Public-Key Pinning (HPKP) is another workaround against rogue CAs, but you cannot change your key easily, so you need to prepare backup keys. Also if the problem is linked to the key cipher, then you're totally fraked and cannot update the certificate. This is really as much as a constraint as a protection, so we're not going to implement this.
Content Security Policy (CSP) is interesting and seem well supported by most browsers. It needs to be adapted to the site's needs, so it is not a global policy. I will create a new BR for this experimentation.
- Related to Enhancement #602: Deploy Content Security Policy (CSP) and check other security headers added
Also available in: Atom
PDF
Updated by