From d7daa197a83bba33ce9c651f059786b7a4eac581 Mon Sep 17 00:00:00 2001 From: J0WI Date: Mon, 1 Jul 2019 22:17:09 +0200 Subject: [PATCH 1/3] Add X-Frame-Options header to nginx Signed-off-by: J0WI --- admin_manual/installation/nginx.rst | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/admin_manual/installation/nginx.rst b/admin_manual/installation/nginx.rst index f34e8e29717..e6833374150 100644 --- a/admin_manual/installation/nginx.rst +++ b/admin_manual/installation/nginx.rst @@ -72,6 +72,7 @@ webroot of your nginx installation. In this example it is add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; add_header Referrer-Policy no-referrer; + add_header X-Frame-Options "SAMEORIGIN"; # Remove X-Powered-By, which is an information leak fastcgi_hide_header X-Powered-By; @@ -169,6 +170,7 @@ webroot of your nginx installation. In this example it is add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; add_header Referrer-Policy no-referrer; + add_header X-Frame-Options "SAMEORIGIN"; # Optional: Don't log access to assets access_log off; @@ -223,6 +225,7 @@ your nginx installation. add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; add_header Referrer-Policy no-referrer; + add_header X-Frame-Options "SAMEORIGIN"; # Remove X-Powered-By, which is an information leak fastcgi_hide_header X-Powered-By; @@ -320,6 +323,7 @@ your nginx installation. add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; add_header Referrer-Policy no-referrer; + add_header X-Frame-Options "SAMEORIGIN"; # Optional: Don't log access to assets access_log off; From 017754a3f35df468e76c2adddfd0f330289f803d Mon Sep 17 00:00:00 2001 From: J0WI Date: Mon, 1 Jul 2019 22:18:08 +0200 Subject: [PATCH 2/3] Sort headers Signed-off-by: J0WI --- admin_manual/installation/nginx.rst | 32 ++++++++++++++--------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/admin_manual/installation/nginx.rst b/admin_manual/installation/nginx.rst index e6833374150..671be01e4cf 100644 --- a/admin_manual/installation/nginx.rst +++ b/admin_manual/installation/nginx.rst @@ -66,13 +66,13 @@ webroot of your nginx installation. In this example it is # will add the domain to a hardcoded list that is shipped # in all major browsers and getting removed from this list # could take several months. + add_header Referrer-Policy no-referrer; add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; add_header X-Download-Options noopen; - add_header X-Permitted-Cross-Domain-Policies none; - add_header Referrer-Policy no-referrer; add_header X-Frame-Options "SAMEORIGIN"; + add_header X-Permitted-Cross-Domain-Policies none; + add_header X-Robots-Tag none; + add_header X-XSS-Protection "1; mode=block"; # Remove X-Powered-By, which is an information leak fastcgi_hide_header X-Powered-By; @@ -164,13 +164,13 @@ webroot of your nginx installation. In this example it is # will add the domain to a hardcoded list that is shipped # in all major browsers and getting removed from this list # could take several months. + add_header Referrer-Policy no-referrer; add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; add_header X-Download-Options noopen; - add_header X-Permitted-Cross-Domain-Policies none; - add_header Referrer-Policy no-referrer; add_header X-Frame-Options "SAMEORIGIN"; + add_header X-Permitted-Cross-Domain-Policies none; + add_header X-Robots-Tag none; + add_header X-XSS-Protection "1; mode=block"; # Optional: Don't log access to assets access_log off; @@ -219,13 +219,13 @@ your nginx installation. # Before enabling Strict-Transport-Security headers please read into this # topic first. #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; + add_header Referrer-Policy no-referrer; add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; add_header X-Download-Options noopen; - add_header X-Permitted-Cross-Domain-Policies none; - add_header Referrer-Policy no-referrer; add_header X-Frame-Options "SAMEORIGIN"; + add_header X-Permitted-Cross-Domain-Policies none; + add_header X-Robots-Tag none; + add_header X-XSS-Protection "1; mode=block"; # Remove X-Powered-By, which is an information leak fastcgi_hide_header X-Powered-By; @@ -317,13 +317,13 @@ your nginx installation. # Before enabling Strict-Transport-Security headers please read # into this topic first. # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; + add_header Referrer-Policy no-referrer; add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; add_header X-Download-Options noopen; - add_header X-Permitted-Cross-Domain-Policies none; - add_header Referrer-Policy no-referrer; add_header X-Frame-Options "SAMEORIGIN"; + add_header X-Permitted-Cross-Domain-Policies none; + add_header X-Robots-Tag none; + add_header X-XSS-Protection "1; mode=block"; # Optional: Don't log access to assets access_log off; From 75727f475b839ab786de1daabadf1886f7ca0051 Mon Sep 17 00:00:00 2001 From: J0WI Date: Mon, 1 Jul 2019 22:24:44 +0200 Subject: [PATCH 3/3] Use "always" condition for security headers Signed-off-by: J0WI --- admin_manual/installation/nginx.rst | 64 ++++++++++++++--------------- 1 file changed, 32 insertions(+), 32 deletions(-) diff --git a/admin_manual/installation/nginx.rst b/admin_manual/installation/nginx.rst index 671be01e4cf..c4a3116bf3c 100644 --- a/admin_manual/installation/nginx.rst +++ b/admin_manual/installation/nginx.rst @@ -59,20 +59,20 @@ webroot of your nginx installation. In this example it is # Add headers to serve security related headers # Before enabling Strict-Transport-Security headers please read into this # topic first. - # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; + # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; # # WARNING: Only add the preload option once you read about # the consequences in https://hstspreload.org/. This option # will add the domain to a hardcoded list that is shipped # in all major browsers and getting removed from this list # could take several months. - add_header Referrer-Policy no-referrer; - add_header X-Content-Type-Options nosniff; - add_header X-Download-Options noopen; - add_header X-Frame-Options "SAMEORIGIN"; - add_header X-Permitted-Cross-Domain-Policies none; - add_header X-Robots-Tag none; - add_header X-XSS-Protection "1; mode=block"; + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; # Remove X-Powered-By, which is an information leak fastcgi_hide_header X-Powered-By; @@ -157,20 +157,20 @@ webroot of your nginx installation. In this example it is # have those duplicated to the ones above) # Before enabling Strict-Transport-Security headers please read into # this topic first. - # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; + # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; # # WARNING: Only add the preload option once you read about # the consequences in https://hstspreload.org/. This option # will add the domain to a hardcoded list that is shipped # in all major browsers and getting removed from this list # could take several months. - add_header Referrer-Policy no-referrer; - add_header X-Content-Type-Options nosniff; - add_header X-Download-Options noopen; - add_header X-Frame-Options "SAMEORIGIN"; - add_header X-Permitted-Cross-Domain-Policies none; - add_header X-Robots-Tag none; - add_header X-XSS-Protection "1; mode=block"; + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; # Optional: Don't log access to assets access_log off; @@ -218,14 +218,14 @@ your nginx installation. # Add headers to serve security related headers # Before enabling Strict-Transport-Security headers please read into this # topic first. - #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; - add_header Referrer-Policy no-referrer; - add_header X-Content-Type-Options nosniff; - add_header X-Download-Options noopen; - add_header X-Frame-Options "SAMEORIGIN"; - add_header X-Permitted-Cross-Domain-Policies none; - add_header X-Robots-Tag none; - add_header X-XSS-Protection "1; mode=block"; + #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; # Remove X-Powered-By, which is an information leak fastcgi_hide_header X-Powered-By; @@ -316,14 +316,14 @@ your nginx installation. # to have those duplicated to the ones above) # Before enabling Strict-Transport-Security headers please read # into this topic first. - # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; - add_header Referrer-Policy no-referrer; - add_header X-Content-Type-Options nosniff; - add_header X-Download-Options noopen; - add_header X-Frame-Options "SAMEORIGIN"; - add_header X-Permitted-Cross-Domain-Policies none; - add_header X-Robots-Tag none; - add_header X-XSS-Protection "1; mode=block"; + # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; # Optional: Don't log access to assets access_log off;