вторник, 21 января 2020 г.

Composer dump-autoload

Magento 2.3.3 Commerce
Useful links
https://phpprofi.ru/blogs/post/52
https://getcomposer.org/doc/03-cli.md#dump-autoload-dumpautoload-
https://magento.stackexchange.com/questions/284911/cant-run-any-commands-in-terminal/301796#301796

After

composer dump-autoload --optimize
php7.2 bin/magento setup:di:compile

throws error
Class Magento\Framework\App\ResourceConnection\Proxy does not exist

It works with composer dump-autoload
Also, I noticed if I run composer dump-autoload --optimize twice , second running was longer than first and compiling worked afterwards.

пятница, 10 января 2020 г.

Nginx security headers

Usually, I added

X-Frame-Options SAMEORIGIN

There was a task with CWE-693: Protection Mechanism Failure
I added security headers for strong security.

Useful links
https://www.keycdn.com/blog/http-security-headers
https://devdocs.magento.com/guides/v2.3/config-guide/secy/secy-xframe.html
magento 1 since 1.9.2 version

Tested the site headers via https://securityheaders.com/
Added to nginx.conf in
http block

add_header x-xss-protection "1; mode=block" always;

to vhost.conf in
server block

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header x-content-type-options "nosniff" always;
add_header feature-policy "autoplay 'none'; camera 'none'" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

Links related Referrer-Policy
https://scotthelme.co.uk/a-new-security-header-referrer-policy/
http://okiseleva.blogspot.com/2018/07/referrer-policy.html

It's the most difficult security header Content-Security-Policy

add_header Content-Security-Policy "default-src 'self'; img-src * 'self' data:; style-src 'self' 'unsafe-inline'; script-src * 'unsafe-inline' 'unsafe-eval'; frame-src *; object-src *; connect-src *; media-src *; font-src *;";

Links related Content-Security-Policy
https://benjaminhorn.io/code/content-security-policy-what-it-is-what-it-does-and-how-to-implement-it/
https://ole.michelsen.dk/blog/secure-your-website-with-content-security-policy.html

Error with img-src https://forum.framework7.io/t/content-security-policy-directive-img-src-self-data-https/5678

Short instruction for setting Content-Security-Policy header parameters:

Set to default-src 'none';
Open develop panel F12, check console log and add rules with all supported directives

Supported directives

default-src: Define loading policy for all resources type in case of a resource type dedicated directive is not defined (fallback) script-src: Define which scripts the protected resource can execute object-src: Define from where the protected resource can load plugins style-src: Define which styles (CSS) the user applies to the protected resource img-src: Define from where the protected resource can load images media-src: Define from where the protected resource can load video and audio frame-src: Define from where the protected resource can embed frames font-src: Define from where the protected resource can load fonts connect-src: Define which URIs the protected resource can load using script interfaces