Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Setting more secure headers #68

Closed
DBJRdev opened this issue Jan 30, 2020 · 2 comments
Closed

Setting more secure headers #68

DBJRdev opened this issue Jan 30, 2020 · 2 comments
Assignees
@mbohal
Labels
enhancement New feature or request question Further information is requested

Comments

@DBJRdev
Copy link
Member

DBJRdev commented Jan 30, 2020

The ePartool has yet to adopt some more secure default settings. As mere HTTP deployments should not be supported anymore, some aspects could be upgraded:

  • HSTS headers
  • cookies only secure
  • protection against various Cross-Site attacks

The following additions to a .htaccess do most of it, but we should be clear whether that approach is the right place. Any thoughts/considerations?

<IfModule mod_headers.c>
  Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains" env=HTTPS
  Header always edit Set-Cookie (.*) "$1; HTTPOnly; Secure"
  Header set X-Frame-Options "sameorigin"
  Header set Referrer-Policy "same-origin"
  Header set X-XSS-Protection "1; mode=block"
  Header set X-Permitted-Cross-Domain-Policies "none"
</IfModule>
@DBJRdev DBJRdev added enhancement New feature or request question Further information is requested labels Jan 30, 2020
@davidurban davidurban assigned davidurban and mbohal and unassigned davidurban Jan 31, 2020
@mbohal
Copy link
Contributor

mbohal commented Feb 3, 2020

Generally, there are two sets of headers:

Environemet specific
These must be set per deployment as they would prevent running the application in other environments.
I think anything HTTPS related belongs in this group. Requiring HTTPS would make development needlessly complex and it would prevent using some more complicated production setups where SSL is not handled by the app server, but by some proxy or load balancer in front of it.

Also HSTS is a dangerous beast as it gets cached in user browsers and any error can therefore have really severe consequences by preventing users from accessing the site. Since https://mitwirkung.dbjr.de/mitmachen/ shares the domain with other sites, I would be rather careful setting this. Apparently it has been already though :).

These headers are not really part of the tool are such. I think the best thing we could do would be to provide some example .htaccess for HTTPS production deployments.

App specific
A while ago we did go through these, so they should be mostly OK. I tried to run Mozilla Observatory, but it tested https://mitwirkung.dbjr.de instead of https://mitwirkung.dbjr.de/mitmachen/ so the results are no really relevant to ePartool. Maybe some check-list could be done to see if everything that is applicable is set correctly?

@mbohal
Copy link
Contributor

mbohal commented Jul 10, 2020

This seems to be resolved, I'm closing this.

@mbohal mbohal closed this as completed Jul 10, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mbohal mbohal

Labels
enhancement New feature or request question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mbohal @davidurban @DBJRdev