Update task documentation
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This commit is contained in:
@@ -1,46 +1,3 @@
|
|||||||
## TASK-013 — nginx missing security response headers
|
|
||||||
|
|
||||||
**Severity:** High
|
|
||||||
|
|
||||||
### Where found
|
|
||||||
`Docker/nginx.conf` — the server block has no `Content-Security-Policy`, `X-Frame-Options`, `X-Content-Type-Options`, `Referrer-Policy`, or `Strict-Transport-Security` headers.
|
|
||||||
|
|
||||||
### Why this is needed
|
|
||||||
Without these headers:
|
|
||||||
- **No CSP** — injected scripts can run freely (XSS).
|
|
||||||
- **No X-Frame-Options** — the app can be embedded in an iframe on an attacker-controlled page (clickjacking).
|
|
||||||
- **No X-Content-Type-Options** — browsers may MIME-sniff responses and execute text/plain as JavaScript.
|
|
||||||
- **No Referrer-Policy** — internal URLs are leaked in the `Referer` header to third-party resources.
|
|
||||||
- **No HSTS** — even with HTTPS configured, browsers will still attempt HTTP first unless told otherwise.
|
|
||||||
|
|
||||||
### Goal
|
|
||||||
Add all OWASP-recommended security headers to the nginx server block.
|
|
||||||
|
|
||||||
### What to do
|
|
||||||
Add to the `server` block in `nginx.conf`:
|
|
||||||
```nginx
|
|
||||||
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; frame-ancestors 'none';" always;
|
|
||||||
add_header X-Frame-Options "DENY" always;
|
|
||||||
add_header X-Content-Type-Options "nosniff" always;
|
|
||||||
add_header Referrer-Policy "no-referrer" always;
|
|
||||||
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
|
|
||||||
# Only add HSTS when HTTPS is confirmed:
|
|
||||||
# add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
|
|
||||||
```
|
|
||||||
|
|
||||||
### Possible traps and issues
|
|
||||||
- Fluent UI v9 uses inline `style` attributes — `style-src 'self' 'unsafe-inline'` is required for now. A stricter CSP using nonces would require server-side rendering of the HTML shell.
|
|
||||||
- HSTS must only be added when HTTPS is fully configured and working — it is irreversible for the configured `max-age`.
|
|
||||||
- Use `always` on `add_header` so headers are also included in error responses (4xx, 5xx).
|
|
||||||
|
|
||||||
### Docs changes needed
|
|
||||||
- `Architekture.md` — document the nginx security header configuration.
|
|
||||||
|
|
||||||
### Doc references
|
|
||||||
- [Architekture.md](Architekture.md) — nginx configuration
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
## TASK-014 — `add_log_path` passes arbitrary paths to fail2ban — no allowlist
|
## TASK-014 — `add_log_path` passes arbitrary paths to fail2ban — no allowlist
|
||||||
|
|
||||||
**Severity:** High
|
**Severity:** High
|
||||||
|
|||||||
Reference in New Issue
Block a user