mirror of
https://codeberg.org/PostERG/xamxam.git
synced 2026-05-06 19:19:19 +02:00
f5d3281c43
Item 13 — Remove deprecated X-XSS-Protection header
- nginx/posterg.conf: header removed (was '1; mode=block')
- nginx/SECURITY_HEADERS.md: new file documenting header decisions
and explaining why X-XSS-Protection is counterproductive
Item 14 — Add rel="noreferrer" to external target="_blank" link
- public/admin/thanks.php: rel="noopener" → rel="noopener noreferrer"
Item 15 — Explicit (int) casts on all integer HTML outputs
- public/index.php: (int) on item id, page numbers
- public/search.php: (int) on totalItems, year options, item id, pagination
Item 16 — Remove unused DATABASE_PATH constant
- config/bootstrap.php: define('DATABASE_PATH', ...) removed
docs/TODO.SECURITY.md updated: items 13-16 marked resolved and
moved to the ✅ Resolved section.
142 lines
4.0 KiB
Plaintext
142 lines
4.0 KiB
Plaintext
# Nginx configuration for Post-ERG thesis website (Production)
|
|
# Based on existing default config with security enhancements
|
|
# Place this in /etc/nginx/sites-available/posterg
|
|
|
|
# Rate limiting zones
|
|
limit_req_zone $binary_remote_addr zone=general:10m rate=30r/m;
|
|
limit_req_zone $binary_remote_addr zone=search:10m rate=30r/m;
|
|
limit_req_zone $binary_remote_addr zone=admin:10m rate=10r/m;
|
|
|
|
# Main server block
|
|
server {
|
|
listen 80 default_server;
|
|
listen [::]:80 default_server;
|
|
|
|
server_name posterg.erg.be www.posterg.erg.be;
|
|
|
|
root /var/www/posterg/public;
|
|
|
|
# Add index.php to the list
|
|
index index.php index.html index.htm;
|
|
|
|
# Security headers
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
# X-XSS-Protection intentionally omitted — deprecated and counterproductive in modern browsers.
|
|
# CSP (Content-Security-Policy) is the correct mitigation (see item #11).
|
|
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
|
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
|
|
|
|
# Server tokens already disabled in nginx.conf
|
|
# server_tokens off;
|
|
|
|
# Max upload size (for thesis files)
|
|
client_max_body_size 100M;
|
|
client_body_timeout 120s;
|
|
|
|
# Logging
|
|
access_log /var/log/nginx/posterg_access.log;
|
|
error_log /var/log/nginx/posterg_error.log warn;
|
|
|
|
# Block access to hidden files (except .well-known for Let's Encrypt)
|
|
location ~ /\.(?!well-known).* {
|
|
deny all;
|
|
access_log off;
|
|
log_not_found off;
|
|
}
|
|
|
|
# Deny access to sensitive files
|
|
location ~* \.(md|txt|sql|sh|json|gitignore)$ {
|
|
deny all;
|
|
}
|
|
|
|
# Deny access to database directory
|
|
location ^~ /database/ {
|
|
deny all;
|
|
}
|
|
|
|
# Deny access to shared/ directory (PHP includes only)
|
|
location ^~ /shared/ {
|
|
deny all;
|
|
}
|
|
|
|
# Deny access to data directory
|
|
location ^~ /data/ {
|
|
deny all;
|
|
}
|
|
|
|
# Admin panel - password protected
|
|
location ^~ /admin/ {
|
|
# HTTP Basic Authentication
|
|
auth_basic "Admin Access - Post-ERG";
|
|
auth_basic_user_file /etc/nginx/.htpasswd-posterg;
|
|
|
|
# Rate limiting for admin
|
|
limit_req zone=admin burst=5 nodelay;
|
|
|
|
# Allow access to public assets without authentication
|
|
location ~ ^/admin/(css|js|images)/ {
|
|
auth_basic off;
|
|
}
|
|
|
|
# PHP handling for admin
|
|
location ~ \.php$ {
|
|
include snippets/fastcgi-php.conf;
|
|
fastcgi_pass unix:/var/run/php/php8.4-fpm.sock;
|
|
}
|
|
|
|
# Additional security headers for admin
|
|
add_header X-Robots-Tag "noindex, nofollow" always;
|
|
|
|
# Try to serve file, otherwise 404
|
|
try_files $uri $uri/ =404;
|
|
}
|
|
|
|
# Search endpoint - rate limiting
|
|
location = /search.php {
|
|
limit_req zone=search burst=10 nodelay;
|
|
include snippets/fastcgi-php.conf;
|
|
fastcgi_pass unix:/var/run/php/php8.4-fpm.sock;
|
|
}
|
|
|
|
# PHP files handler
|
|
location ~ \.php$ {
|
|
# Rate limiting for general PHP requests
|
|
limit_req zone=general burst=20 nodelay;
|
|
|
|
include snippets/fastcgi-php.conf;
|
|
fastcgi_pass unix:/var/run/php/php8.4-fpm.sock;
|
|
|
|
# Security parameters
|
|
fastcgi_param PHP_VALUE "upload_max_filesize=50M \n post_max_size=100M";
|
|
|
|
# Timeouts
|
|
fastcgi_read_timeout 120;
|
|
fastcgi_send_timeout 120;
|
|
}
|
|
|
|
# Static files caching
|
|
location ~* \.(jpg|jpeg|png|gif|ico|css|js|svg|woff|woff2|ttf|otf)$ {
|
|
expires 30d;
|
|
add_header Cache-Control "public, immutable";
|
|
access_log off;
|
|
}
|
|
|
|
# PDF files (thesis documents)
|
|
location ~* \.pdf$ {
|
|
expires 7d;
|
|
add_header Cache-Control "public";
|
|
add_header Content-Disposition "inline";
|
|
}
|
|
|
|
# Root location - try files or 404
|
|
location / {
|
|
try_files $uri $uri/ =404;
|
|
}
|
|
|
|
# Deny access to .htaccess files (if Apache's document root concurs with nginx's)
|
|
location ~ /\.ht {
|
|
deny all;
|
|
}
|
|
}
|