Comments (12)
Sounds good, although Content-Security-Policy
might need to be configurable. Putting that in the default template seems reasonable.
from ansible-nginx.
Should the default be on like Strict Transport?
from ansible-nginx.
"WARNING! This header must be carefully planned before deploying it on production website as it could easily break stuff and prevent a website to load itโs content!"
So probably not, maybe just in report mode? I bet that first deployments of the role aren't "production ready" and might be used to test it, so enabling content security policy right off the bat might break things.
from ansible-nginx.
Good to know lol. I'll work on this over the weekend or next week.
from ansible-nginx.
Yeah... That's also why there's currently no HPKP support in the role, but that would require at least one more private RSA key set up for the eventual certificate (backup). That will take some planning and coordination with debops.pki
, though.
from ansible-nginx.
Should the headers be added to nginx_http_options
? Or should they be something separate?
from ansible-nginx.
They should be only in the HTTPS section of the default nginx template. The HTTP section realistically should only send a redirect to HTTPS, since it can be intercepted (plaintext), so you want to redirect the client to HTTPS and then send the rest over the secure connection.
from ansible-nginx.
Sounds good! I tested the following headers:
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Xss-Protection "1";
These work fine. Although we need some nginx version detection code for the always
argument of add_header
. It's only available after version 1.7.5. I also found a guide on Content-Security-Policy
. I'll see if I can find a good default value for it that won't make everything explode.
from ansible-nginx.
This is what I'm adding in the default template right now.
{% if item.csp_enabled is defined and item.csp_enabled %}
add_header Content-Security-Policy "{{ item.csp | d('default-src https:;') }}";
{% endif %}
{% if item.csp_reporting_enabled is defined and item.csp_reporting_enabled %}
add_header Content-Security-Policy-Report-Only "{{ item.csp_reporting | d(item.csp | d('default-src https:;')) }}";
{% endif %}
add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Xss-Protection "1";
Does it make sense to you? This would enforce everything over https by default if you turn it on.
from ansible-nginx.
With Content Security Policy, i would use these variables:
item.csp
- bool, if enabled, it enables normal CSPitem.csp_report
- bool, if enabled, it enables only CSP report, not the full versionitem.csp_policy
- the actual security policy for both normal and report mode
The X-Frame-Options
should also be configurable, if somebody would want to include content from other providers, like Google Maps, or YouTube, for example.
from ansible-nginx.
What should the default be?
from ansible-nginx.
Same origin sounds like a good default.
from ansible-nginx.
Related Issues (20)
- Log files in different directory HOT 1
- it is impossible to set *_log: off; HOT 2
- The nginx.org flavor key has expired HOT 1
- SSL redirect from non www to www HOT 2
- Disabling server_welcome and server_localhost cause missing var error HOT 1
- Welcome url scheme template not being parsed correctly... moustaches in deployed file HOT 7
- Consider to disable `nginx_hsts_preload` by default HOT 2
- Setting Referrer-Policy to no-referrer breaks applications HOT 4
- Mod security plugin? HOT 2
- Redesign Content Security Policy support HOT 3
- Pheonix Elixir Upstreams ? HOT 13
- Download nginx package via https HOT 2
- Security headers only printed when ssl is enabled HOT 4
- "undefined variable" in task "Create default welcome page if enabled". HOT 2
- Default try_files means 404 wonโt be hit if an index.html is at the root
- IPv6 DNS-resolver causes nginx to fail HOT 2
- client_max_body_size configuration HOT 1
- default nginx_flavor HOT 1
- custom vhost log HOT 1
- nginx Role Error on Remove all configuration symlinks during config reset
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ansible-nginx.