PostERG/xamxam
1
0
Fork 0
mirror of https://codeberg.org/PostERG/xamxam.git synced 2026-05-06 11:09:18 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
7fca85d1c12a9813f1b5f8994b8ee8e5fdd69c56
xamxam/nginx/SECURITY_HEADERS.md
Théophile Gervreau-Mercier a2b1ff5f41 security: fix all HIGH priority items from TODO.SECURITY.md 
Items resolved:
- #3 (HIGH): Move file uploads outside webroot to STORAGE_ROOT (/var/www/posterg/storage).
  Uploads were previously stored in public/admin/actions/data/ which is web-accessible.
- #4 (HIGH): Align file paths and add media.php controller.
  DB paths are now storage-relative (theses/YEAR/ID/file, covers/file).
  New public/media.php serves files with path-traversal jail, MIME allow-list,
  and proper caching headers. memoire.php and search.php updated to use /media.php?path=.
  Also fixed: cover images were never recorded in thesis_files (broken INSERT).
- #5 (HIGH): RateLimit::getClientIdentifier() now uses REMOTE_ADDR only.
  HTTP_X_FORWARDED_FOR and HTTP_CLIENT_IP are attacker-controlled headers that
  allowed unlimited rate-limit bypass by rotating spoofed IPs.
- #6 (HIGH): Port public/admin/.htaccess security rules to nginx/posterg.conf.
  Apache .htaccess directives are silently ignored by nginx; none were active.
  CSP added to /admin/ location block, .log file denial added globally,
  autoindex off made explicit. Documented in nginx/HTACCESS_TO_NGINX.md.

Supporting changes:
- config/bootstrap.php: add STORAGE_ROOT constant
- nginx/SECURITY_HEADERS.md: updated to reflect admin CSP and pending public CSP
- docs/TODO.SECURITY.md: items #3-6 moved to resolved; priority order updated
2026-02-08 14:01:45 +01:00

1.8 KiB
Raw Blame History

Security Headers — nginx/posterg.conf

Headers in use (main server block — all pages)

Header Value Purpose
X-Frame-Options SAMEORIGIN Prevent clickjacking
X-Content-Type-Options nosniff Prevent MIME-type sniffing
Referrer-Policy strict-origin-when-cross-origin Limit referrer leakage
Permissions-Policy geolocation=(), microphone=(), camera=() Disable unused browser APIs

Headers in use (/admin/ location block)

Header Value Purpose
Content-Security-Policy default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none'; Restrict resource origins; block embedding
X-Robots-Tag noindex, nofollow Prevent search-engine indexing of admin

These were previously declared in public/admin/.htaccess as Apache mod_headers directives, which nginx silently ignores. They are now enforced directly; see HTACCESS_TO_NGINX.md for the full migration log.

Intentionally omitted headers

X-XSS-Protection

This header was removed (was "1; mode=block").

Why: X-XSS-Protection is deprecated and removed from all modern browsers (Chrome 78+, Firefox never implemented it, Edge dropped it). Worse, the mode=block behaviour can be actively exploited to expose response bodies that would otherwise be blocked. Sending it provides no protection and may introduce risk.

Correct mitigation: a proper Content-Security-Policy header (now done for /admin/; public-page CSP is todo item #11).

Pending headers

Header Scope Status
Content-Security-Policy Public pages (non-admin) todo item #11
Reference in New Issue View Git Blame Copy Permalink