Check security server


#1

Hello,
Mozilla gives access to his tool online security check.
It’s free and very usefull

https://observatory.mozilla.org/

Enjoy.


Web server security check sites overview
Django_csp used within Seafile application
#2

The problem we are currently having is that seafile won’t work anymore if you follow all the recommendations for configuration. Does anyone have working AND secure configs? Or can the seafile devs help out?


#3

What did you change in your config? We have not all features enabled but i would say our setup is better than some others … You may want to check our setup for the address “login.yoursecurecloud.de”. I could imagine that you have problems if using a Content Security Policy (CSP) header.


#4

@marcusm
which file(s) did you change for:

Prevent browsers from incorrectly detecting non-scripts as scripts

X-Content-Type-Options: nosniff

Block site from being framed

X-Frame-Options: DENY

Block pages from loading when they detect reflected XSS attacks

X-XSS-Protection: 1; mode=block

thx
fabian

EDIT:
found it for apache

	<IfModule mod_headers.c>
	  	Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
		Header always set X-Frame-Options SAMEORIGIN
		Header always set X-Content-Type-Options nosniff
		Header always set X-XSS-Protection "1; mode=block"
	</IfModule>

#5

Yes, here you can find a very good site with more Information: https://www.keycdn.com/blog/http-security-headers/ and also https://scotthelme.co.uk/hardening-your-http-response-headers/

Everything has to be done in the webservers config file, after this you should restart the webserver. I would not use every feature, since some are very dangerous to use, if doing it wrong - for example HPKP.


#6

This is what we wanted to use (the commented ones break seafile though):

some security header settings need a2enmod headers

Header always set Strict-Transport-Security “max-age=63072000; includeSubdomains; preload”
#Header set Content-Security-Policy “default-src ‘self’”
#Header always edit Set-Cookie (.*) “$1;HttpOnly;Secure”
#Header set X-Content-Type-Options nosniff
Header always append X-Frame-Options DENY


#7

What’s new about this ?

Can we configure these security options without fear that some things gonna no longer work ?
As @dicer says it seems that if we configure the secure cookie for all the website, Seafile doesn’t work anymore, something is planed for this ? It’s the same problem with Content-Security-Policy, maybe need a more precise configuration than “default-src”, if yes which one ?

Thank you


#8

Does someone know how to set cookies with secure flag on nginx without breaking Seafile?

Here is the config for NGINX that will give you a B- in score.
You need to set it in every server block in the config file.

add_header Strict-Transport-Security “max-age=31536000; includeSubDomains” always;
add_header X-Content-Type-Options “nosniff” always;
add_header X-XSS-Protection “1; mode=block” always;
add_header X-Frame-Options “DENY” always;
add_header Referrer-Policy “strict-origin-when-cross-origin” always;
server_tokens off;


#9

Guys, if you are setting up new server and don’t know alot about SSL(Trying setup, use some configuration), please be careful about Strict-Transport-Security. I recommend for first try setup it for one day. Let it works some time and after some days(months?) of production using, setup it for bigger value(HTTP2 require min 1 year). if you setup HSTS for big value on production server and don’t know what is it, you will be unable to stop it working remotly on user’s PC.
@Calby please warn users before recommend something, they can destroy their production settings.


#10

My bad I did not think about to warn them.
But my settings for Strict-Transport-Security should not be a issue for them, it should work.

Btwn, now when I have you in the “thread” do you know how to setup so the cookies from seafile get security flagged?
I don’t seem to get it to work.


#11

It’s not about your setup, it’s correct. But if someone use your HSTS setup without thinking and still playing with SSL(turning it on and off), then his site can be unaccessable for clients, cause if he shutdown SSL the clients still will connecting with HTTPS only. That’s my idea ;).

How did you configured Secure flag?


#12

My seafile currently got B+. There are few things in Seahub which stopping me to do setup for A/A+. But what I think is B+ is OK and secured


#13

What have you done that I haven’t? I have B- only, not sure why.

Regarding the setup for the secure cookies I have not done it at all as I can’t seem to understand how to do it.
I’m running NGINX latest stable version.


#14

NGinx have problem with edit headers.

Problem of Set-Cookie header is that you send it Twice, first is from Seahub, second is your secured flag from nginx. Se my config below I have EDIT instead of SET. I’m uasing Apache

	Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
	Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
	Header always set X-Content-Type-Options nosniff
	Header always set X-XSS-Protection "1; mode=block"
	Header always set X-Frame-Options SAMEORIGIN
	Header always set Referrer-Policy "strict-origin"
	Header always set Content-Security-Policy "default-src 'none'; script-src http://seafile.com/ https://www.seafile.com/ https://*.<yourdomain>.<tld>/ 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self'; font-src data: 'self'; connect-src 'self'; style-src 'self' 'unsafe-inline'; frame-src https://*.<yourdomain>.<tld>; object-src 'none'; frame-ancestors https://*.<yourdomain>.<tld>/; base-uri https://*.<yourdomain>.<tld>/ 'self'"


#15

This one is intresting.
I did not activate CSP as I did not know if it should work with Seafile or broke it.
So I can just copy past this line to my config?
Header always set Content-Security-Policy “default-src ‘none’; script-src http://seafile.com/ https://www.seafile.com/ https://../ ‘self’ ‘unsafe-inline’ ‘unsafe-eval’; img-src ‘self’; font-src data: ‘self’; connect-src ‘self’; style-src ‘self’ ‘unsafe-inline’; frame-src https://..; object-src ‘none’; frame-ancestors https://../; base-uri https://../ ‘self’”


#16

I’m not a expert for CSP settings, but did some research for used values a follow Google guidelines, make some testing if everything works. Most problems was on OnlyOffice and this settings expecting it on subdomain(that’s why I used wildcards https://*.<domain>.<tld>/). You can use it but check what every values doing to get understand it. Replace <> with your domain and tld.


#17

I did try your settings out and I did go from B- to B in score and mozilla tells me this:

Content Security Policy (CSP) implemented unsafely.

This includes ‘unsafe-inline’ or data: inside script-src, overly broad sources such as https: inside object-src or script-src, or not restricting the sources for object-src or script-src.

But that’s nothing we can do about, I have been reading and as far as I can tell your config is the best one for Seafile.


#18

Yes, unsafe-inline, unsafe-eval and data: are nessesary for Seahub. unsafe-eval and unsafe-inline are for inline CSS and JS. data: is for inline file loading (What I saw that PDF viewer using it for loading scripts).

We can just ask to developers (@daniel.pan ?), if they are will fix inline JS, CSS and DATA calls, but I know that on big project like seahub, it’s not easy to do full refactoring.


#19

Hi agian,
I did find a bug in your config, if you go in and choose a folder or file in webGUI and choose to transfer it then the transfere list will just load.
When I did disable the CSP then it did start to work again.

I can’t investegate it now, but I just wanted to tell you asap if some of your users report a issue with transfering or copy files trough WEBGUI


#20

Just for fast fix you can add blob: to script-src section. But you have to disable cookies secure flag, it cause HTTP 403 about bad CSRF. I have to figure it out tomorrow.