Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add security headers to nginx config #1244

Merged
merged 3 commits into from
May 14, 2020
Merged

Add security headers to nginx config #1244

merged 3 commits into from
May 14, 2020

Conversation

Dalabad
Copy link
Contributor

@Dalabad Dalabad commented Apr 24, 2020

Increase the security of the nginx server and the served page, by adding the following security headers to the nginx config:

  • X-Frame-Options (Disables click jacking by disallowing the page to be run in a frame/iframe)
  • X-XSS-Protection (Enables cross site scripting filtering)
  • X-Content-Type-Options (Disables MIME sniffing and forces browser to use the type given in Content-Type.)
  • Content-Security-Policy (Controls resources the user agent is allowed to load for a given page.)
  • Referrer-Policy (Governs which referrer information sent in the Referer header should be included with requests made.)

Additional headers that could be added optionally:

  • Strict-Transport-Security (Enforce HTTPS over HTTP)

Increase the security of the nginx server and the served page, by adding the following security headers to the nginx config:
- X-Frame-Options (Disables click jacking by disallowing the page to be run in a frame/iframe)
- X-XSS-Protection (Enables cross site scripting filtering)
- X-Content-Type-Options (Disables MIME sniffing and forces browser to use the type given in Content-Type.)
- Content-Security-Policy (Controls resources the user agent is allowed to load for a given page.)
- Referrer-Policy (Governs which referrer information sent in the Referer header should be included with requests made.)

Additional headers that could be added optionally:
- Strict-Transport-Security (Enforce HTTPS over HTTP)
@RomanHotsiy
Copy link
Member

Thanks for the PR!

Have you tested if Redoc works with those headers enabled? I remember issue report related to Content-Security-Policy and web-workers so want to make sure you verified it works.

@Dalabad
Copy link
Contributor Author

Dalabad commented May 11, 2020

I had to restructure the add_header commands, as nginx does not correctly inherit the headers from higher hierarchies.

Here is a running version of this branch with the added headers: Redoc-PR-1244

So far I could not identify any problems with the added headers interfering in any way

@RomanHotsiy
Copy link
Member

Thanks!

I see this in the Chrome console:
image

Also, could you please test it on localhost too? Usually, security headers behave funky when it comes to localhost

@Dalabad
Copy link
Contributor Author

Dalabad commented May 11, 2020

Thanks for the console output.

You were right, the CSP seems to make problems if configured as the external sources like google fonts and swagger files would not load correctly. I've removed the CSP header for now.

I've updated the linked version from my previous commit. I've also tested it locally and did not get any more visible or console errors.

@RomanHotsiy RomanHotsiy merged commit 4512436 into Redocly:master May 14, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants