From 6dc03ebabbbb593a2e72ce0b2d7744d48469e9b6 Mon Sep 17 00:00:00 2001 From: Martin Date: Wed, 24 Jun 2015 15:07:58 +0200 Subject: [PATCH] add header security directives for nginx (see core #15342) --- admin_manual/configuration_server/harden_server.rst | 9 ++++++--- admin_manual/installation/nginx_configuration.rst | 10 +++++++++- 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/admin_manual/configuration_server/harden_server.rst b/admin_manual/configuration_server/harden_server.rst index f8ee8ad61..4b25a2b7f 100644 --- a/admin_manual/configuration_server/harden_server.rst +++ b/admin_manual/configuration_server/harden_server.rst @@ -145,14 +145,17 @@ However, these headers are added by the applications code in PHP and thus not served on static resources and rely on the fact that there is no way to bypass the intended response code path. -For optimal security administrators are encouraged to serve these basic HTTP -headers by the web server to enforce them on response. To do this Apache has to -be configured to use the ``.htaccess`` file as well as the following Apache +For optimal security, administrators are encouraged to serve these basic HTTP +headers by the web server to enforce them on response. + +Apache has to be configured to use the ``.htaccess`` file as well as the following Apache modules needs to be enabled: - mod_headers - mod_env +For nginx, please see the nginx configuration example :ref:`nginx_configuration_example` + Administrators can verify whether this security change is active by accessing a static resource served by the web server and verify that above mentioned security headers are shipped. diff --git a/admin_manual/installation/nginx_configuration.rst b/admin_manual/installation/nginx_configuration.rst index c1c1c46ef..42c1fa979 100644 --- a/admin_manual/installation/nginx_configuration.rst +++ b/admin_manual/installation/nginx_configuration.rst @@ -1,3 +1,4 @@ +.. _nginx_configuration_example: Nginx Configuration =================== @@ -34,6 +35,13 @@ Nginx Configuration ssl_certificate /etc/ssl/nginx/cloud.example.com.crt; ssl_certificate_key /etc/ssl/nginx/cloud.example.com.key; + # Add headers to serve security related headers + add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + # Path to the root of your installation root /var/www/owncloud/; # set max upload size @@ -105,4 +113,4 @@ Nginx Configuration - Remove **ssl_certificate** and **ssl_certificate_key**. - Remove **fastcgi_params HTTPS on;** -.. note:: If you are using php-fpm please read :ref:`using_php-fpm` \ No newline at end of file +.. note:: If you are using php-fpm please read :ref:`using_php-fpm`