Improve headers for security #4757
Conversation
|
We had previously decided to not do HSTS for subdomains because it would affect services on your domain other than Mailcow. I think that still holds, especially since it's near impossible to turn off HSTS later. |
|
Mkay I removed the includeSubdomains part. |
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
milkmaker
added
the
stale
|
Please do not mark it as stale. |
milkmaker
removed
the
stale
|
How does reverse Proxies behave on that? |
I don't understand the question 0.0 |
No problem. Will Reverse Proxies still work with that changes? As these are changed directly at the root webserver. I´m not that fit with those security headers that´s why i ask + to ensure the functionality with reverse proxies. |
It works fine with Mailcow on the stable branch. I have not tested with SOGo yet, as I do not use it. I am using it on my own server as you can see here: https://mail.tommytran.io |
|
It should work with the bootstrap theme now |
|
@DerLinkman These changes work fine with SOGo, I have tested them. They probably won't work with stuff like Gitea etc that you have in the docs. Maybe we can move them down to the location blocks to make it work. The other approach (and IMO the better approach) is to leave it like this and give instructions to overwrite the headers set at the root inside of the location blocks for those reverse proxies. I have my CSP policy for Gitea listed here https://github.com/tommytran732/Gitea-Docker-Compose/blob/main/swag/nginx/ssl.conf#L32... I am not sure about the other stuff. Someone gotta make the CSP policies for them. |
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
milkmaker
added
the
stale
|
Do not close. It is not stale. |
milkmaker
removed
the
stale
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
milkmaker
added
the
stale
|
Do not close. |
milkmaker
removed
the
stale
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
milkmaker
added
the
stale
|
Do not close. |
milkmaker
removed
the
stale
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
milkmaker
added
the
stale
milkmaker
removed
the
stale
| @@ -13,14 +13,18 @@ | |||
| ssl_session_timeout 1d; | |||
| ssl_session_tickets off; | |||
|
|
|||
| add_header Strict-Transport-Security "max-age=15768000;"; | |||
| add_header Strict-Transport-Security "max-age=15768000; preload"; | |||
There was a problem hiding this comment.
According to https://hstspreload.org, preload has no effect when includeSubDomains is not specified. And we definitely don't want that option as it has an effect outside of Mailcow.
There was a problem hiding this comment.
I agree that it should be removed, a quote also from hstspreload.org:
If you maintain a project that provides HTTPS configuration advice or provides an option to enable HSTS, do not include the preload directive by default.
| add_header X-Content-Type-Options nosniff; | ||
| add_header X-XSS-Protection "1; mode=block"; | ||
| add_header X-XSS-Protection "0"; |
There was a problem hiding this comment.
Remove this option entirely. As per https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection, it is superseded by the Content-Security-Policy and not supported by any browser anymore.
| add_header X-Robots-Tag none; | ||
| add_header X-Download-Options noopen; | ||
| add_header X-Frame-Options "SAMEORIGIN" always; | ||
| add_header X-Permitted-Cross-Domain-Policies none; | ||
| add_header Referrer-Policy strict-origin; | ||
| add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()"; | ||
| add_header Content-Security-Policy "default-src 'none'; connect-src 'self' https://api.github.com https://www.gravatar.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://www.gravatar.com; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content; base-uri 'none'"; |
There was a problem hiding this comment.
Is this list still complete? The pull request is a year old, perhaps we now have different external dependencies?
There was a problem hiding this comment.
I am still using this on my mailcow instance and have not had any issues. I can check later but I'd still expect it to work.
Signed-off-by: Tommy <[email protected]>
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
milkmaker
added
the
stale
milkmaker
removed
the
stale
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
milkmaker
added
the
stale
|
Do not close |
milkmaker
removed
the
stale
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
milkmaker
added
the
stale
|
Do not close |
milkmaker
removed
the
stale
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
milkmaker
added
the
stale
|
Do not close |
milkmaker
removed
the
stale
I added Permissions-Policy and Content-Security-Policy. I have tested these with the admin panel and FIDO2.
XSS filtering should be set to 0 as it could cause issues by itself according to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection.
HSTS should be preloaded and
include subdomains. I don't see a reason not to.