hazza/Phraseanet
1
0
Fork 0
mirror of https://github.com/alchemy-fr/Phraseanet.git synced 2025-10-11 12:03:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

PHRAS-3859 increase security with headers (#4325)

Browse Source 
* fix port value on nginx proxy case

* increase security using headers

* PHRAS-3859 add security set cookie httponly
This commit is contained in:
moctardiouf
2023-06-26 10:51:45 +02:00
committed by GitHub
parent 71d725e4a0
commit 1215f82c30
3 changed files with 8 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
docker/nginx/root/entrypoint.sh
View File

@@ -18,7 +18,8 @@ if [ ! -z "$GATEWAY_FASTCGI_HTTPS" ]; then
GATEWAY_FASTCGI_HTTPS="fastcgi_param HTTPS $GATEWAY_FASTCGI_HTTPS;"
else
echo "NO GATEWAY_FASTCGI_HTTPS is defined"
GATEWAY_FASTCGI_HTTPS="fastcgi_param HTTPS on;"
GATEWAY_FASTCGI_HTTPS="fastcgi_param HTTPS on;fastcgi_param SERVER_PORT 443;"
fi
cat /nginx.conf.sample | sed "s/\$MAX_BODY_SIZE/$MAX_BODY_SIZE/g" | sed "s/\$GATEWAY_SEND_TIMEOUT/$GATEWAY_SEND_TIMEOUT/g" | sed "s/\$GATEWAY_FASTCGI_TIMEOUT/$GATEWAY_FASTCGI_TIMEOUT/g" | sed "s/\$MAX_BODY_SIZE/$MAX_BODY_SIZE/g" | sed "s/\$GATEWAY_PROXY_TIMEOUT/$GATEWAY_PROXY_TIMEOUT/g" | sed "s/\$NEW_TARGET/$NEW_TARGET/g" | sed "s/\$NEW_RESOLVER/$NEW_RESOLVER/g" | sed "s/\$GATEWAY_FASTCGI_HTTPS/$GATEWAY_FASTCGI_HTTPS/g" > /etc/nginx/conf.d/default.conf

4
docker/nginx/root/etc/nginx/nginx.conf
View File

@@ -23,13 +23,13 @@ http {
#tcp_nopush on;
server_tokens off;
#gzip on;
## Security headers for Nginx ##
## Security headers for Nginx ##
add_header Strict-Transport-Security "max-age=15768000" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Xss-Protection "1; mode=block" always;
add_header Referrer-Policy strict-origin-when-cross-origin;
add_header Content-Security-Policy "default-src 'self' * 127.0.0.1 data: ;script-src 'unsafe-inline' 'unsafe-eval' 'self' data: https://www.google.com http://www.google-analytics.com/gtm/js https://*.gstatic.com https://ajax.googleapis.com;style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://www.google.com https://www.gstatic.com;img-src 'self' data:";
add_header Content-Security-Policy "default-src 'self' 127.0.0.1 https://fonts.gstatic.com data: ;script-src 'unsafe-inline' 'unsafe-eval' 'self' https://www.gstatic.com ;style-src 'self' 'unsafe-inline' https://fonts.gstatic.com https://fonts.googleapis.com https://www.google.com https://www.gstatic.com;img-src 'self' data:; object-src 'self';frame-ancestors 'self' ";
include /etc/nginx/conf.d/*.conf;
}

5
docker/phraseanet/php.ini.sample
View File

@@ -1330,6 +1330,9 @@ session.save_handler = $SESSION_SAVE_HANDLER
; http://php.net/session.save-path
session.save_path = $SESSION_SAVE_PATH
session.hash_bits_per_character = 6
session.hash_function = 1
; Whether to use strict session mode.
; Strict session mode does not accept uninitialized session ID and regenerate
; session ID if browser sends uninitialized session ID. Strict mode protects
@@ -1374,7 +1377,7 @@ session.cookie_domain =
; Whether or not to add the httpOnly flag to the cookie, which makes it inaccessible to browser scripting languages such as JavaScript.
; http://php.net/session.cookie-httponly
session.cookie_httponly =
session.cookie_httponly = 1
; Handler used to serialize data. php is the standard serializer of PHP.
; http://php.net/session.serialize-handler