From 0b14e8940471fa9e3b97b4ac9a7839b098373bd9 Mon Sep 17 00:00:00 2001
From: Carol Willing <carolcode@willingconsulting.com>
Date: Wed, 7 Sep 2016 22:00:33 -0700
Subject: [PATCH] Add info on updates and Qualsys SSL analyzer to docs

---
 docs/source/getting-started.md | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/docs/source/getting-started.md b/docs/source/getting-started.md
index 1a6e810d..80397563 100644
--- a/docs/source/getting-started.md
+++ b/docs/source/getting-started.md
@@ -218,7 +218,7 @@ security configuration:
 2. Cookie secret (a key for encrypting browser cookies)
 3. Proxy authentication token (used for the Hub and other services to authenticate to the Proxy)
 
-## SSL encryption
+### SSL encryption
 
 Since JupyterHub includes authentication and allows arbitrary code execution, you should not run
 it without SSL (HTTPS). This will require you to obtain an official, trusted SSL certificate or
@@ -249,7 +249,7 @@ Note: In certain cases, e.g. **behind SSL termination in nginx**, allowing no SS
 running on the hub may be desired. To run the Hub without SSL, you must opt
 in by configuring and confirming the `--no-ssl` option, added as of [version 0.5](./changelog.html).
 
-## Cookie secret
+### Cookie secret
 
 The cookie secret is an encryption key, used to encrypt the browser cookies used for
 authentication. If this value changes for the Hub, all single-user servers must also be restarted.
@@ -291,7 +291,7 @@ You can also set the secret in the configuration file itself as a binary string:
 c.JupyterHub.cookie_secret = bytes.fromhex('VERY LONG SECRET HEX STRING')
 ```
 
-## Proxy authentication token
+### Proxy authentication token
 
 The Hub authenticates its requests to the Proxy using a secret token that the Hub and Proxy agree upon. The value of this string should be a random string (for example, generated by `openssl rand -hex 32`). You can pass this value to the Hub and Proxy using either the `CONFIGPROXY_AUTH_TOKEN` environment variable:
 
@@ -313,6 +313,17 @@ subprocess of the Hub, this should happen automatically (this is the default con
 
 Another time you must set the Proxy authentication token yourself is if you want other services, such as [nbgrader](https://github.com/jupyter/nbgrader) to also be able to connect to the Proxy.
 
+### Security audits
+
+We recommend that you do periodic reviews of your deployment's security. It's
+good practice to keep JupyterHub, configurable-http-proxy, and nodejs up to
+date.
+
+A handy website for testing your deployment is
+[Qualsys' SSL analyzer tool](https://www.ssllabs.com/ssltest/analyze.html).
+
+
+
 ## Authentication and users
 
 The default Authenticator uses [PAM][] to authenticate system users with their username and password.