Check security server

holantomas · November 28, 2017, 1:32pm

Don’t know if it’s help you. Chrome say you which directive tried to use (img-src for example)

add_header Content-Security-Policy "default-src 'none'; script-src http://seafile.com/ https://www.seafile.com/ https://*.nohatech.se/ blob: 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' blob:; font-src data: 'self'; connect-src 'self'; style-src 'self' 'unsafe-inline'; child-src https://*.nohatech.se; object-src 'none'; frame-ancestors https://*.nohatech.se/; base-uri https://*.nohatech.se/ 'self'; media-src 'self';" always;

fabfaeb · April 23, 2018, 9:07am

Hello there,

I’m currently hardening my seafile server and use mozilla observatory as a benchmark. Unfortunately I’m only achieving a C+. Is anyone getting better results?
I use the CSP settings from @holantomas but those are deemed unsafe because of the use of “unsafe-inline” and ‘unsafe-eval’ in the script-src section. Is anyone aware of better/safer settings?
Additionally I am getting minus points because “Anti-CSRF tokens set without using the SameSite flag”. I added the secure flag using nginx “proxy_cookie_path” to all cookies but unfortunately that doesn’t seem to be enough. Are there any ideas how to improve my score?

klangborste · July 8, 2018, 8:31pm

It’s a little bit longer you wrote, but i want again push this topic. I get B+ as best result in Mozilla Observatory.

Additionally I am getting minus points because “Anti-CSRF tokens set without using the SameSite flag”. I added the secure flag using nginx “proxy_cookie_path” to all cookies but unfortunately that doesn’t seem to be enough. Are there any ideas how to improve my score?

You als have to set the “SameSite” flag like its explained in the text of the scanner.

Here “SameSite=strict” is used, i did only add a “SameSite=Lax” to the headers - dont know if “strict” is break Seafile.

Edit: I think it’s a new criteria on the scanner. I haven’t changed anything on my webserver but I have gotten a lower grade.

I’m also very much interested in a better CSP. Are there any suggestions of somebody?

holantomas · July 12, 2018, 6:03am

That’s funny cause. If you use my settings you will get better points, but it’s whole change. Theres inline scripts, style and source like base64 files. So if you block it over CSP, then some parts just stop working (PDF viewer for example). My settings just adding part which CSP validator say, they are missing.

For everyone:
Until seafile developers change inline styles, JS scripts and blob sources to something more safe, you have to have unsafe-inline. Ignoring this settings is just same as you have this in your settings and different are in points in validator.

tbleiker · August 2, 2019, 7:17pm

Devs, can we get an update on this? I can’t get past a B+ on Mozilla Observatory.

Edit: running CE 7.0.4

Galdur · March 17, 2020, 1:03pm

bump, bump

alexw1982 · January 8, 2021, 12:18am

Bumpty bump …

klangborste · March 5, 2021, 9:57pm

Did somebody dig around and find some safer way for the new seafile versions to establish a CSP?

mercury · May 23, 2023, 3:09am

Does anyone have an Nginx config that will get Seafile 10.X at least a B on Mozilla Observatory? -Thanks

Cisco · May 23, 2023, 11:44am

Sans titre

Sans titre1

Sans titre2

mercury · May 23, 2023, 3:21pm

What do you get from securityheaders.com? -Thank you

Cisco · May 23, 2023, 5:22pm

Sans titre4

mercury · May 23, 2023, 5:29pm

Does this help at all?

add_header Referrer-Policy “same-origin”;

Cisco · May 23, 2023, 5:34pm

in fact there is an error on my website with seafile when I add CSP
add_header Content-Security-Policy "default-src 'self';" always;
or
add_header Content-Security-Policy "default-src 'self';";
, seafile no longer appears.
I go back to C when seafile works again
Sans titre5

Cisco · May 23, 2023, 5:38pm

when I apply your directive,
I go to B on https://securityheaders.com/
and C+ at observatory.mozilla.org

mercury · May 23, 2023, 5:56pm

I am now seeing:

Mozilla: B+
Security Headers: A

with the directive ‘add_header Referrer-Policy “same-origin”;’ included.

It seems like the biggest problem is with Content-Security-Policy (CSP) which Mozilla scores at -20.

Presently CSP is simply:

add_header Content-Security-Policy “default-src ‘self’ http: https: ws: wss: data: blob: ‘unsafe-inline’; frame-ancestors ‘self’;”;

Can the ‘unsafe-inline’ be removed? That seems to be the big problem for the scoring sites.

-Thanks

mercury · May 24, 2023, 12:43am

Adding this CSP resulted in 20 more points on Mozilla:

add_header Content-Security-Policy “script-src ‘strict-dynamic’ ‘nonce-rAnd0m123’ ‘unsafe-inline’ http: https:; object-src ‘none’; base-uri ‘none’; require-trusted-types-for ‘script’;”;

Security Headers increased the rating to A+ but there are still issues with set-cookie that remain.

So far the server is acting fine but still testing.

alexw1982 · September 29, 2023, 2:20pm

Using that policy the login window disappears for me when visiting the website … this topic is mentioned over and over again over the years in the forum … but not viable config seems to exist