From e696caa31fc2c6f3613ab11568fc0d2392a047af Mon Sep 17 00:00:00 2001 From: frju365 Date: Fri, 29 Dec 2017 16:00:29 +0100 Subject: [PATCH 01/12] [Fix] Nginx headers --- data/templates/nginx/server.tpl.conf | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/data/templates/nginx/server.tpl.conf b/data/templates/nginx/server.tpl.conf index 685ae01b8..90a258433 100644 --- a/data/templates/nginx/server.tpl.conf +++ b/data/templates/nginx/server.tpl.conf @@ -42,7 +42,12 @@ server { # > openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 #ssl_dhparam /etc/ssl/private/dh2048.pem; - add_header Strict-Transport-Security "max-age=31536000;"; + add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"; + add_header 'Referrer-Policy' 'no-referrer'; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Permitted-Cross-Domain-Policies none; + add_header X-Frame-Options "SAMEORIGIN"; access_by_lua_file /usr/share/ssowat/access.lua; From 9e19e5316ccbeeb1c6d3dd16dc70278eee18c648 Mon Sep 17 00:00:00 2001 From: frju365 Date: Fri, 29 Dec 2017 16:07:15 +0100 Subject: [PATCH 02/12] [Fix] Nginx headers --- data/templates/nginx/server.tpl.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/templates/nginx/server.tpl.conf b/data/templates/nginx/server.tpl.conf index 90a258433..dee667939 100644 --- a/data/templates/nginx/server.tpl.conf +++ b/data/templates/nginx/server.tpl.conf @@ -42,7 +42,7 @@ server { # > openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 #ssl_dhparam /etc/ssl/private/dh2048.pem; - add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; add_header 'Referrer-Policy' 'no-referrer'; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; From 5cd30e584d4225a3c82ca54709189aa4f9bc9ba9 Mon Sep 17 00:00:00 2001 From: frju365 Date: Fri, 29 Dec 2017 16:16:37 +0100 Subject: [PATCH 03/12] [Fix] Nginx headers in Admin conf --- data/templates/nginx/plain/yunohost_admin.conf | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/data/templates/nginx/plain/yunohost_admin.conf b/data/templates/nginx/plain/yunohost_admin.conf index a9d26d151..349be9177 100644 --- a/data/templates/nginx/plain/yunohost_admin.conf +++ b/data/templates/nginx/plain/yunohost_admin.conf @@ -36,8 +36,14 @@ server { # Uncomment the following directive after DH generation # > openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 #ssl_dhparam /etc/ssl/private/dh2048.pem; - - add_header Strict-Transport-Security "max-age=31536000;"; + + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; + add_header 'Referrer-Policy' 'no-referrer'; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + add_header X-Frame-Options "SAMEORIGIN"; location / { return 302 https://$http_host/yunohost/admin; From 95835118bd8e0c308dec2c3659719760cd17570f Mon Sep 17 00:00:00 2001 From: frju365 Date: Fri, 29 Dec 2017 17:59:12 +0100 Subject: [PATCH 04/12] [Fix] CSP Standart. --- data/templates/nginx/server.tpl.conf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/data/templates/nginx/server.tpl.conf b/data/templates/nginx/server.tpl.conf index dee667939..6f49d68c3 100644 --- a/data/templates/nginx/server.tpl.conf +++ b/data/templates/nginx/server.tpl.conf @@ -43,9 +43,11 @@ server { #ssl_dhparam /etc/ssl/private/dh2048.pem; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; - add_header 'Referrer-Policy' 'no-referrer'; + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + add_header Content-Security-Policy "upgrade-insecure-requests; object-src 'none'; script-src https: 'unsafe-eval';report-uri /csp-violation-report-endpoint/"; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; + add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; add_header X-Frame-Options "SAMEORIGIN"; From 804d0b29c35aa450608487ae12ad4deefb1e8537 Mon Sep 17 00:00:00 2001 From: frju365 Date: Fri, 29 Dec 2017 18:25:17 +0100 Subject: [PATCH 05/12] [Fix] Add CSP in Admin conf --- data/templates/nginx/plain/yunohost_admin.conf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/data/templates/nginx/plain/yunohost_admin.conf b/data/templates/nginx/plain/yunohost_admin.conf index 349be9177..9bdbb0f26 100644 --- a/data/templates/nginx/plain/yunohost_admin.conf +++ b/data/templates/nginx/plain/yunohost_admin.conf @@ -38,7 +38,8 @@ server { #ssl_dhparam /etc/ssl/private/dh2048.pem; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; - add_header 'Referrer-Policy' 'no-referrer'; + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + add_header Content-Security-Policy "upgrade-insecure-requests; object-src 'none'; script-src https: 'unsafe-eval';report-uri /csp-violation-report-endpoint/"; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header X-Download-Options noopen; From b655229cbd8c00cf57838f848b1988ff8d02d1d2 Mon Sep 17 00:00:00 2001 From: frju365 Date: Sat, 30 Dec 2017 11:18:17 +0100 Subject: [PATCH 06/12] [Fix] Referrer --- data/templates/nginx/server.tpl.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/templates/nginx/server.tpl.conf b/data/templates/nginx/server.tpl.conf index 6f49d68c3..11f503c98 100644 --- a/data/templates/nginx/server.tpl.conf +++ b/data/templates/nginx/server.tpl.conf @@ -43,7 +43,7 @@ server { #ssl_dhparam /etc/ssl/private/dh2048.pem; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; - add_header 'Referrer-Policy' 'origin-when-cross-origin'; + add_header 'Referrer-Policy' 'same-origin'; add_header Content-Security-Policy "upgrade-insecure-requests; object-src 'none'; script-src https: 'unsafe-eval';report-uri /csp-violation-report-endpoint/"; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; From bd2f459e8663c401506faa2ac5503e74aa8e50b8 Mon Sep 17 00:00:00 2001 From: frju365 Date: Sat, 30 Dec 2017 11:18:58 +0100 Subject: [PATCH 07/12] [Fix] Referrer --- data/templates/nginx/plain/yunohost_admin.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/templates/nginx/plain/yunohost_admin.conf b/data/templates/nginx/plain/yunohost_admin.conf index 9bdbb0f26..eedbd61b3 100644 --- a/data/templates/nginx/plain/yunohost_admin.conf +++ b/data/templates/nginx/plain/yunohost_admin.conf @@ -38,7 +38,7 @@ server { #ssl_dhparam /etc/ssl/private/dh2048.pem; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; - add_header 'Referrer-Policy' 'origin-when-cross-origin'; + add_header 'Referrer-Policy' 'same-origin'; add_header Content-Security-Policy "upgrade-insecure-requests; object-src 'none'; script-src https: 'unsafe-eval';report-uri /csp-violation-report-endpoint/"; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; From c824f403a421e63ede69922c4bb931dad599c1fa Mon Sep 17 00:00:00 2001 From: frju365 Date: Fri, 9 Feb 2018 16:10:31 +0100 Subject: [PATCH 08/12] [Fix] Referrer, CSP bad conf. cf. Another pr. --- data/templates/nginx/server.tpl.conf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/data/templates/nginx/server.tpl.conf b/data/templates/nginx/server.tpl.conf index 11f503c98..20301b2c1 100644 --- a/data/templates/nginx/server.tpl.conf +++ b/data/templates/nginx/server.tpl.conf @@ -43,8 +43,7 @@ server { #ssl_dhparam /etc/ssl/private/dh2048.pem; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; - add_header 'Referrer-Policy' 'same-origin'; - add_header Content-Security-Policy "upgrade-insecure-requests; object-src 'none'; script-src https: 'unsafe-eval';report-uri /csp-violation-report-endpoint/"; + add_header Content-Security-Policy "upgrade-insecure-requests; object-src 'none'; script-src https: 'unsafe-eval';"; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header X-Download-Options noopen; From 4f616fe8c7a0d2de9f40b80b541a6cbd2b11eea2 Mon Sep 17 00:00:00 2001 From: frju365 Date: Fri, 9 Feb 2018 16:11:41 +0100 Subject: [PATCH 09/12] [Fix] CSP cf. another PR. --- data/templates/nginx/plain/yunohost_admin.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/templates/nginx/plain/yunohost_admin.conf b/data/templates/nginx/plain/yunohost_admin.conf index eedbd61b3..51424f289 100644 --- a/data/templates/nginx/plain/yunohost_admin.conf +++ b/data/templates/nginx/plain/yunohost_admin.conf @@ -39,7 +39,7 @@ server { add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; add_header 'Referrer-Policy' 'same-origin'; - add_header Content-Security-Policy "upgrade-insecure-requests; object-src 'none'; script-src https: 'unsafe-eval';report-uri /csp-violation-report-endpoint/"; + add_header Content-Security-Policy "upgrade-insecure-requests; object-src 'none'; script-src https: 'unsafe-eval'"; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header X-Download-Options noopen; From 03273e3b946a74972185ad429fd9fe7ea49da474 Mon Sep 17 00:00:00 2001 From: frju365 Date: Fri, 9 Feb 2018 16:20:29 +0100 Subject: [PATCH 10/12] [fix] typo --- data/templates/nginx/server.tpl.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/templates/nginx/server.tpl.conf b/data/templates/nginx/server.tpl.conf index 20301b2c1..d5356fd6a 100644 --- a/data/templates/nginx/server.tpl.conf +++ b/data/templates/nginx/server.tpl.conf @@ -43,7 +43,7 @@ server { #ssl_dhparam /etc/ssl/private/dh2048.pem; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; - add_header Content-Security-Policy "upgrade-insecure-requests; object-src 'none'; script-src https: 'unsafe-eval';"; + add_header Content-Security-Policy "upgrade-insecure-requests; object-src 'none'; script-src https: 'unsafe-eval'"; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header X-Download-Options noopen; From 4276a187a05c01378cd4574f7a09bcff30a9f00f Mon Sep 17 00:00:00 2001 From: frju365 Date: Fri, 9 Feb 2018 16:24:16 +0100 Subject: [PATCH 11/12] [enh] Comment with the URL of the Mozilla Directives --- data/templates/nginx/server.tpl.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/data/templates/nginx/server.tpl.conf b/data/templates/nginx/server.tpl.conf index d5356fd6a..ac2ff8486 100644 --- a/data/templates/nginx/server.tpl.conf +++ b/data/templates/nginx/server.tpl.conf @@ -42,6 +42,9 @@ server { # > openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 #ssl_dhparam /etc/ssl/private/dh2048.pem; + # Follows the Web Security Directives from the Mozilla Dev Lab and the Mozilla Obervatory + Partners + # https://wiki.mozilla.org/Security/Guidelines/Web_Security + # https://observatory.mozilla.org/ add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; add_header Content-Security-Policy "upgrade-insecure-requests; object-src 'none'; script-src https: 'unsafe-eval'"; add_header X-Content-Type-Options nosniff; From 6ab29260cf7669da78aa25fa088735b7f5f69846 Mon Sep 17 00:00:00 2001 From: frju365 Date: Fri, 9 Feb 2018 16:25:09 +0100 Subject: [PATCH 12/12] [enh] Mozilla directives. --- data/templates/nginx/plain/yunohost_admin.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/data/templates/nginx/plain/yunohost_admin.conf b/data/templates/nginx/plain/yunohost_admin.conf index 51424f289..156d61bd6 100644 --- a/data/templates/nginx/plain/yunohost_admin.conf +++ b/data/templates/nginx/plain/yunohost_admin.conf @@ -37,6 +37,9 @@ server { # > openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 #ssl_dhparam /etc/ssl/private/dh2048.pem; + # Follows the Web Security Directives from the Mozilla Dev Lab and the Mozilla Obervatory + Partners + # https://wiki.mozilla.org/Security/Guidelines/Web_Security + # https://observatory.mozilla.org/ add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; add_header 'Referrer-Policy' 'same-origin'; add_header Content-Security-Policy "upgrade-insecure-requests; object-src 'none'; script-src https: 'unsafe-eval'";