пятница, 10 января 2020 г.

Nginx security headers

Usually, I added

X-Frame-Options SAMEORIGIN

There was a task with CWE-693: Protection Mechanism Failure
I added security headers for strong security.

Useful links
https://www.keycdn.com/blog/http-security-headers
https://devdocs.magento.com/guides/v2.3/config-guide/secy/secy-xframe.html
magento 1 since 1.9.2 version

Tested the site headers via https://securityheaders.com/
Added to nginx.conf in
http block

add_header x-xss-protection "1; mode=block" always;

to vhost.conf in
server block

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header x-content-type-options "nosniff" always;
add_header feature-policy "autoplay 'none'; camera 'none'" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

Links related Referrer-Policy
https://scotthelme.co.uk/a-new-security-header-referrer-policy/
http://okiseleva.blogspot.com/2018/07/referrer-policy.html

It's the most difficult security header Content-Security-Policy

add_header Content-Security-Policy "default-src 'self'; img-src * 'self' data:; style-src 'self' 'unsafe-inline'; script-src * 'unsafe-inline' 'unsafe-eval'; frame-src *; object-src *; connect-src *; media-src *; font-src *;";

Links related Content-Security-Policy
https://benjaminhorn.io/code/content-security-policy-what-it-is-what-it-does-and-how-to-implement-it/
https://ole.michelsen.dk/blog/secure-your-website-with-content-security-policy.html

Error with img-src https://forum.framework7.io/t/content-security-policy-directive-img-src-self-data-https/5678

Short instruction for setting Content-Security-Policy header parameters:

Set to default-src 'none';
Open develop panel F12, check console log and add rules with all supported directives

Supported directives

default-src: Define loading policy for all resources type in case of a resource type dedicated directive is not defined (fallback) script-src: Define which scripts the protected resource can execute object-src: Define from where the protected resource can load plugins style-src: Define which styles (CSS) the user applies to the protected resource img-src: Define from where the protected resource can load images media-src: Define from where the protected resource can load video and audio frame-src: Define from where the protected resource can embed frames font-src: Define from where the protected resource can load fonts connect-src: Define which URIs the protected resource can load using script interfaces

1 комментарий: