PostERG/xamxam
1
0
Fork 0
mirror of https://codeberg.org/PostERG/xamxam.git synced 2026-06-25 16:19:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix: harden security based on pentest scan findings

Browse Source 
- Add Content-Security-Policy to main nginx server block (was only on /admin/)
- Add Cross-Origin-Opener-Policy and Cross-Origin-Resource-Policy headers
- Add includeSubDomains to HSTS header
- Set HttpOnly, Secure, SameSite=Lax session cookie params on public pages
  (AdminAuth already hardens the /admin session with SameSite=Strict)
- Update xamxam.conf.reference and SECURITY_HEADERS.md to match
This commit is contained in:
Pontoporeia
2026-05-11 18:03:14 +02:00
parent 4717b4d67e
commit 04094d802d
7 changed files with 37 additions and 484 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
nginx/docs/SECURITY_HEADERS.md
View File

@@ -4,16 +4,20 @@
| Header | Value | Purpose |
|--------|-------|---------|
| `Strict-Transport-Security` | `max-age=63072000; includeSubDomains; preload;` | HSTS — forces HTTPS |
| `Content-Security-Policy` | `default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none';` | Restrict resource origins; block embedding |
| `X-Frame-Options` | `SAMEORIGIN` | Prevent clickjacking |
| `X-Content-Type-Options` | `nosniff` | Prevent MIME-type sniffing |
| `Referrer-Policy` | `strict-origin-when-cross-origin` | Limit referrer leakage |
| `Permissions-Policy` | `geolocation=(), microphone=(), camera=()` | Disable unused browser APIs |
| `Cross-Origin-Opener-Policy` | `same-origin` | Isolates browsing context |
| `Cross-Origin-Resource-Policy` | `same-origin` | Controls cross-origin resource sharing |
## Headers in use (`/admin/` location block)
## Headers in use (`/admin/` location block — inherited from main + overrides)
| Header | Value | Purpose |
|--------|-------|---------|
| `Content-Security-Policy` | `default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none';` | Restrict resource origins; block embedding |
| `Content-Security-Policy` | `default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none';` | Restrict resource origins; allows inline scripts for OverType editor |
| `X-Robots-Tag` | `noindex, nofollow` | Prevent search-engine indexing of admin |
These were previously declared in `public/admin/.htaccess` as Apache
@@ -36,8 +40,3 @@ no protection and may introduce risk.
**Correct mitigation:** a proper `Content-Security-Policy` header (now done for
`/admin/`; public-page CSP is todo item #11).
## Pending headers
| Header | Scope | Status |
|--------|-------|--------|
| `Content-Security-Policy` | Public pages (non-admin) | ⏳ todo item #11 |

6
nginx/xamxam.conf
View File

@@ -36,12 +36,14 @@ server {
index index.php index.html index.htm;
# Security headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload;" always;
add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none';" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
# X-XSS-Protection intentionally omitted — deprecated and counterproductive in modern browsers.
# CSP (Content-Security-Policy) is the correct mitigation.
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
add_header Cross-Origin-Opener-Policy "same-origin" always;
add_header Cross-Origin-Resource-Policy "same-origin" always;
# Server tokens already disabled in nginx.conf
# server_tokens off;

6
nginx/xamxam.conf.reference
View File

@@ -34,12 +34,14 @@ server {
index index.php index.html index.htm;
# Security headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload;" always;
add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none';" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
# X-XSS-Protection intentionally omitted — deprecated and counterproductive in modern browsers.
# CSP (Content-Security-Policy) is the correct mitigation.
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
add_header Cross-Origin-Opener-Policy "same-origin" always;
add_header Cross-Origin-Resource-Policy "same-origin" always;
# Server tokens already disabled in nginx.conf
# server_tokens off;