~sircmpwn/sr.ht-dev

sr.ht-etc nginx security headers v1 PROPOSED

This patch adds both security headers and strong cipher suites to the
nginx configuration of sr.ht

Kyle Copperfield (1):
  nginx/http.conf: security headers

 nginx/http.conf | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

-- 
2.24.0
One more thing (sorry for the reply spam):
Next
Thanks Kyle! These files aren't used in practice yet, but I'll keep
these suggestions in mind.

on Sat Nov 16, 2019 at 4:11 AM, Kyle Copperfield wrote:
Next
Hi Kyle,
Next
Export patchset (mbox)
How do I use this?

Copy & paste the following snippet into your terminal to import this patchset into git:

curl -s https://lists.sr.ht/~sircmpwn/sr.ht-dev/patches/9068/mbox | git am -3
Learn more about email & git

[PATCH 1/1] nginx/http.conf: security headers Export this patch

- Strong defaults based on the mozilla ssl generator
- Commented out CSP (needs input on remote includes in sr.ht)
- XFO / XSS  / Content-Type all common headers
- Strict cross origin referrer policy to prevent data leaks
- Strict feature policies sr.ht does not need, with omissions for
potentially used features in the future
- DNS prefetch limitation on urls simply on the page
- upgrade insecure requests for remote includes, which should really be
blocked by the CSP anyway.
---
 nginx/http.conf | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/nginx/http.conf b/nginx/http.conf
index 3897088..0c88ea4 100644
--- a/nginx/http.conf
+++ b/nginx/http.conf
@@ -8,8 +8,29 @@ keepalive_timeout 65;
sendfile on;
tcp_nodelay on;

ssl_session_timeout 1d;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:2m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;

ssl_stapling on;
ssl_stapling_verify on;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;

#add_header Content-Security-Policy "default-src 'self' https://*.sr.ht" always;
#add_header X-Content-Security-Policy "default-src 'self' https://*.sr.ht" always;
#add_header X-WebKit-CSP "default-src 'self' https://*.sr.ht" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Content-Type-Options "nosniff" always;  
add_header X-Frame-Options SAMEORIGIN always;  
add_header X-XSS-Protection "1; mode=block" always; 
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Feature-Policy "geolocation 'none'; midi 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; vibrate 'none'; autoplay 'none'; accelerometer 'none'; ambient-light-sensor 'none'; display-capture 'none'; encrypted-media 'none';" always;
add_header X-DNS-Prefetch-Control "off" always;
add_header Upgrade-Insecure-Requests "1" always;

gzip_vary on;

-- 
2.24.0
One more thing (sorry for the reply spam):
Thanks Kyle! These files aren't used in practice yet, but I'll keep
these suggestions in mind.

on Sat Nov 16, 2019 at 4:11 AM, Kyle Copperfield wrote:
Hi Kyle,