Add some more security headers about ansible-nginx HOT 12 CLOSED

Sounds good, although Content-Security-Policy might need to be configurable. Putting that in the default template seems reasonable.

from ansible-nginx.

Should the default be on like Strict Transport?

from ansible-nginx.

"WARNING! This header must be carefully planned before deploying it on production website as it could easily break stuff and prevent a website to load it’s content!"

So probably not, maybe just in report mode? I bet that first deployments of the role aren't "production ready" and might be used to test it, so enabling content security policy right off the bat might break things.

from ansible-nginx.

Good to know lol. I'll work on this over the weekend or next week.

from ansible-nginx.

Yeah... That's also why there's currently no HPKP support in the role, but that would require at least one more private RSA key set up for the eventual certificate (backup). That will take some planning and coordination with debops.pki, though.

from ansible-nginx.

Should the headers be added to nginx_http_options? Or should they be something separate?

from ansible-nginx.

They should be only in the HTTPS section of the default nginx template. The HTTP section realistically should only send a redirect to HTTPS, since it can be intercepted (plaintext), so you want to redirect the client to HTTPS and then send the rest over the secure connection.

from ansible-nginx.

Sounds good! I tested the following headers:

add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Xss-Protection "1";

These work fine. Although we need some nginx version detection code for the always argument of add_header. It's only available after version 1.7.5. I also found a guide on Content-Security-Policy. I'll see if I can find a good default value for it that won't make everything explode.

from ansible-nginx.

This is what I'm adding in the default template right now.

{% if item.csp_enabled is defined and item.csp_enabled %}
        add_header                Content-Security-Policy "{{ item.csp | d('default-src https:;') }}";
{% endif %}
{% if item.csp_reporting_enabled is defined and item.csp_reporting_enabled %}
        add_header                Content-Security-Policy-Report-Only "{{ item.csp_reporting | d(item.csp | d('default-src https:;')) }}";
{% endif %}
        add_header                X-Content-Type-Options "nosniff";
        add_header                X-Frame-Options "SAMEORIGIN";
        add_header                X-Xss-Protection "1";

Does it make sense to you? This would enforce everything over https by default if you turn it on.

from ansible-nginx.

With Content Security Policy, i would use these variables:

• item.csp - bool, if enabled, it enables normal CSP
• item.csp_report - bool, if enabled, it enables only CSP report, not the full version
• item.csp_policy - the actual security policy for both normal and report mode

The X-Frame-Options should also be configurable, if somebody would want to include content from other providers, like Google Maps, or YouTube, for example.

from ansible-nginx.

What should the default be?

from ansible-nginx.

Same origin sounds like a good default.

from ansible-nginx.