lukas.pupkalipinski/BanGUI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactoring-backend #3

Merged
lukas.pupkalipinski merged 403 commits from refactoring-backend into main 2026-05-20 20:23:46 +02:00
Conversation 0 Commits 403 Files Changed 549 -43
1 changed files with 0 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit b9e046bd66 - Show all commits

43
Docs/Tasks.md
View File

@@ -1,46 +1,3 @@
## TASK-013 — nginx missing security response headers
**Severity:** High
### Where found
`Docker/nginx.conf` — the server block has no `Content-Security-Policy`, `X-Frame-Options`, `X-Content-Type-Options`, `Referrer-Policy`, or `Strict-Transport-Security` headers.
### Why this is needed
Without these headers:
- **No CSP** — injected scripts can run freely (XSS).
- **No X-Frame-Options** — the app can be embedded in an iframe on an attacker-controlled page (clickjacking).
- **No X-Content-Type-Options** — browsers may MIME-sniff responses and execute text/plain as JavaScript.
- **No Referrer-Policy** — internal URLs are leaked in the `Referer` header to third-party resources.
- **No HSTS** — even with HTTPS configured, browsers will still attempt HTTP first unless told otherwise.
### Goal
Add all OWASP-recommended security headers to the nginx server block.
### What to do
Add to the `server` block in `nginx.conf`:
```nginx
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; frame-ancestors 'none';" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
# Only add HSTS when HTTPS is confirmed:
# add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
```
### Possible traps and issues
- Fluent UI v9 uses inline `style` attributes — `style-src 'self' 'unsafe-inline'` is required for now. A stricter CSP using nonces would require server-side rendering of the HTML shell.
- HSTS must only be added when HTTPS is fully configured and working — it is irreversible for the configured `max-age`.
- Use `always` on `add_header` so headers are also included in error responses (4xx, 5xx).
### Docs changes needed
- `Architekture.md` — document the nginx security header configuration.
### Doc references
- [Architekture.md](Architekture.md) — nginx configuration
---
## TASK-014 — `add_log_path` passes arbitrary paths to fail2ban — no allowlist
**Severity:** High