~sircmpwn/sr.ht-dev

This thread contains a patchset. You're looking at the original emails, but you may wish to use the patch review UI. Review patch
4 3

[PATCH 0/1] sr.ht-etc nginx security headers

Details
Message ID
<20191116041109.76279-1-kmcopper@danwin1210.me>
DKIM signature
missing
Download raw message
This patch adds both security headers and strong cipher suites to the
nginx configuration of sr.ht

Kyle Copperfield (1):
  nginx/http.conf: security headers

 nginx/http.conf | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

-- 
2.24.0

[PATCH 1/1] nginx/http.conf: security headers

Details
Message ID
<20191116041109.76279-2-kmcopper@danwin1210.me>
In-Reply-To
<20191116041109.76279-1-kmcopper@danwin1210.me> (view parent)
DKIM signature
missing
Download raw message
Patch: +22 -1
- Strong defaults based on the mozilla ssl generator
- Commented out CSP (needs input on remote includes in sr.ht)
- XFO / XSS  / Content-Type all common headers
- Strict cross origin referrer policy to prevent data leaks
- Strict feature policies sr.ht does not need, with omissions for
potentially used features in the future
- DNS prefetch limitation on urls simply on the page
- upgrade insecure requests for remote includes, which should really be
blocked by the CSP anyway.
---
 nginx/http.conf | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/nginx/http.conf b/nginx/http.conf
index 3897088..0c88ea4 100644
--- a/nginx/http.conf
+++ b/nginx/http.conf
@@ -8,8 +8,29 @@ keepalive_timeout 65;
sendfile on;
tcp_nodelay on;

ssl_session_timeout 1d;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:2m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;

ssl_stapling on;
ssl_stapling_verify on;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;

#add_header Content-Security-Policy "default-src 'self' https://*.sr.ht" always;
#add_header X-Content-Security-Policy "default-src 'self' https://*.sr.ht" always;
#add_header X-WebKit-CSP "default-src 'self' https://*.sr.ht" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Content-Type-Options "nosniff" always;  
add_header X-Frame-Options SAMEORIGIN always;  
add_header X-XSS-Protection "1; mode=block" always; 
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Feature-Policy "geolocation 'none'; midi 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; vibrate 'none'; autoplay 'none'; accelerometer 'none'; ambient-light-sensor 'none'; display-capture 'none'; encrypted-media 'none';" always;
add_header X-DNS-Prefetch-Control "off" always;
add_header Upgrade-Insecure-Requests "1" always;

gzip_vary on;

-- 
2.24.0

Re: [PATCH 1/1] nginx/http.conf: security headers

Details
Message ID
<BYID2N3EV3I6.26DMGUM18XMS8@homura>
In-Reply-To
<20191116041109.76279-2-kmcopper@danwin1210.me> (view parent)
DKIM signature
missing
Download raw message
Thanks Kyle! These files aren't used in practice yet, but I'll keep
these suggestions in mind.

on Sat Nov 16, 2019 at 4:11 AM, Kyle Copperfield wrote:
> - Strong defaults based on the mozilla ssl generator

You should petition nginx to use these upstream as the defaults.

> - XFO / XSS  / Content-Type all common headers
> - Strict cross origin referrer policy to prevent data leaks

+1

> - Strict feature policies sr.ht does not need, with omissions for
> potentially used features in the future

Almost +1 here, I'm gonna drop autoplay cause sourcehut.org may use this
to demonstrate new features (with mute autoplay loop videoes) in the
future and who knows if other domains might want that.

> - DNS prefetch limitation on urls simply on the page

Can you explain this?

> - upgrade insecure requests for remote includes, which should really be
> blocked by the CSP anyway.

Fair enough.

Re: [PATCH 1/1] nginx/http.conf: security headers

Details
Message ID
<9eb44206-1f78-06ec-48d8-0805529b1cdc@metacode.biz>
In-Reply-To
<20191116041109.76279-2-kmcopper@danwin1210.me> (view parent)
DKIM signature
missing
Download raw message
Hi Kyle,

> +add_header Upgrade-Insecure-Requests "1" always;

Upgrade-Insecure-Request seems to be a request header (that is sent by 
clients, not servers). More info on MDN:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Upgrade-Insecure-Requests

and in the spec:

https://w3c.github.io/webappsec-upgrade-insecure-requests/#preference

Kind regards,
Wiktor

-- 
https://metacode.biz/@wiktor

Re: [PATCH 1/1] nginx/http.conf: security headers

Details
Message ID
<6f040465-d695-9783-3789-989c14008e1a@metacode.biz>
In-Reply-To
<20191116041109.76279-2-kmcopper@danwin1210.me> (view parent)
DKIM signature
missing
Download raw message
One more thing (sorry for the reply spam):

> +add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

"preload" can be dangerous if enabled on a whim:

https://hstspreload.org/#opt-in

Preload + hstspreload.org submission will make browsers *always* use 
HTTPS for sr.ht + subdomains with no workaround (if cert is invalid 
there won't be a "load site anyway" button in the browser UI).

In 2019 SSL certs are available for free so it's not a big problem but I 
think it's good to point out the ramifications of this process: removing 
HSTS preload would take months until new browser versions roll out (they 
ship with HSTS preload list) so well... better to know what's going on 
beforehand.

Kind regards,
Wiktor

-- 
https://metacode.biz/@wiktor
Reply to thread Export thread (mbox)