Enhancement #602
open
- % Done changed from 0 to 10
Tested on test.duckcorp.org and fixed a few things. Now applied on www.duckcorp.org.
The FF plugin had a false positive on script-src 'unsafe-inline'. I found the error reporting clearer on Chromium.
Content Security Policy: The page’s settings blocked the loading of a resource at https://irconweb.milkypond.org/#chan-1 (“form-action 'none'”).
- Subject changed from Experiment with Content Security Policy (CSP) to Deploy Content Security Policy (CSP) and check other security headers
- % Done changed from 10 to 30
It works, even if finding the right setting may need some trial and error.
I've already setup certain vhosts and certain applications may provide one (Nexcloud), so let's list the vhost needing one and fix them one by one.
I should also check the result of: https://securityheaders.com/
I updated the httpd role for more secure headers. I need to have a look at duplicate headers.
The Mozilla checker is interesting, especially for the CSP analysis. I'll make some fixes for our website soon and then try to add support for more vhosts.
Let's protect core services first:
- ca.duckcorp.org
- db.duckcorp.org
- ddns.duckcorp.org
- dico.duckcorp.org
- doc.duckcorp.org
- gossip.duckcorp.org
- lists.duckcorp.org
- myip.duckcorp.org
- ntp.duckcorp.org
- projects.duckcorp.org
- radio.duckcorp.org
- repository.duckcorp.org
- shizuka-STAR.duckcorp.org
- smokeping.duckcorp.org
- sources.duckcorp.org
- static.perso.duckcorp.org
stuff.milkypond.org (handled by NextCloud)- sup.duckcorp.org
- users.duckcorp.org
- vcs.duckcorp.org
- vcs-git.duckcorp.org
- vcs-git-viewer.duckcorp.org
webmail.duckcorp.org- wiki.duckcorp.org
www.duckcorp.orgwww.milkypond.org (redirection)
Excluded vhosts:
- perso.duckcorp.org: each user needs to adapt to its own need
- photos-ng.duckcorp.org: experimental at the moment
updated currently deployed CSP to use upgrade-insecure-requests
Also available in: Atom
PDF
Updated by