Difference between revisions of "Apache Hardening"
(Added clickjacking and permissions policy) |
|||
Line 2: | Line 2: | ||
== HTTP Strict Transport Security (HSTS) == | == HTTP Strict Transport Security (HSTS) == | ||
− | HSTS ensures that a | + | HSTS ensures that a visitor's (to your EPrints repository) web browser only uses HTTPS, once they are aware HTTPS is available. It is now quite common to setup an Eprinst repository to be [[Simplified_HTTPS_Configuration#HTTPS_Only|only HTTPS with HTTP redirects]]. If this is the case only your visitor's first request will be HTTP and then their web browser will know to use HTTPS from there on. |
+ | |||
The following line should be added to near the top of the HTTPS virtualhost, (i.e. in the archive's '''ssl/securevhost.conf'''): | The following line should be added to near the top of the HTTPS virtualhost, (i.e. in the archive's '''ssl/securevhost.conf'''): | ||
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" | Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" | ||
− | The '''max-age=31536000''' is the recommended length in seconds (365 days, i.e. approx. 1 year). '''includeSubDomains''' is not absolutely necessary unless the repository has alternative hostnames that are under the primary hostname (e.g. ''www.example.eprints.org'' is a secondary hostname for ''example.eprints.org''). '''preload''' is only really useful if your repository is the root of a domain (e.g. ''eprints.org'') is on browsers preload lists (e.g. [https://hg.mozilla.org/mozilla-central/raw-file/tip/security/manager/ssl/nsSTSPreloadList.inc] | + | The '''max-age=31536000''' is the recommended length in seconds (365 days, i.e. approx. 1 year). '''includeSubDomains''' is not absolutely necessary unless the repository has alternative hostnames that are under the primary hostname (e.g. ''www.example.eprints.org'' is a secondary hostname for ''example.eprints.org''). '''preload''' is only really useful if your repository is the root of a domain (e.g. ''eprints.org'') is on browsers preload lists (e.g. [https://hg.mozilla.org/mozilla-central/raw-file/tip/security/manager/ssl/nsSTSPreloadList.inc]). This will make sure that even the first request for your repository is rewritten to HTTPS before being submitted by your visitor's web browser. |
== X-Frame-Options (Clickjacking) == | == X-Frame-Options (Clickjacking) == | ||
+ | Clickjacking is where someone embed your website (e.g. EPrints repository) within their website to trick you into clicking on something you would not normally click. Generally there is no good reaso to allow your repository to be embedded on another website, so the following line should be used. | ||
+ | Header always append X-Frame-Options SAMEORIGIN | ||
+ | This can be put in its own file under Apache's configuration directories, as it is best to make sure it is applied to all virtualhosts. | ||
+ | == Permissions Policy == | ||
+ | Permissions Policy (formerly known as Features Policy but using different syntax), is intended to set out what access your EPrints repository might need to certain peripherals / sensors / features your visitor's web browser might have access (e.g. webcam, microphone and geolocation). EPrints repositories do not generally need access to any of these but if your repository was compromised (e.g. someone uploaded some JavaScript that would be executed if a user requested a certain page), it is sensible to explicitly specify access is not required, so these peripherals/data could not be misused. | ||
+ | The following line states that your EPrints repository does not need access to a visitor's computer's camera, geolocation or microphone. | ||
+ | Header always set Permissions-Policy "camera=(), geolocation=(self 'HOST_URL'), microphone=()" | ||
+ | Make sure you update the '''HOST_URL''' with the primary hostname URL of your repository (e.g. ''https://example.eprints.org/''). Like for Clickjacking protection line, this is best added to its own file under Apache's configuration directories, so it applies to all virtualhosts. New peripherals, sensors and features continue to be added to the Permissions Policy. The line above is only intended to cover the most significant. You can build your own permissions policy at https://www.permissionspolicy.com/ and update the above line as appropriate. | ||
[[Category:Howto]] | [[Category:Howto]] |
Revision as of 09:26, 23 August 2022
There are various ways that Apache configuration can be hardened to make it more secure. The suggested configuration changes below are informed by https://securityheaders.com/ Much of this is quite generic and could be applied to an web host not just an EPrints repository but some needs be be specifically configured for an EPrints repository.
HTTP Strict Transport Security (HSTS)
HSTS ensures that a visitor's (to your EPrints repository) web browser only uses HTTPS, once they are aware HTTPS is available. It is now quite common to setup an Eprinst repository to be only HTTPS with HTTP redirects. If this is the case only your visitor's first request will be HTTP and then their web browser will know to use HTTPS from there on.
The following line should be added to near the top of the HTTPS virtualhost, (i.e. in the archive's ssl/securevhost.conf):
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
The max-age=31536000 is the recommended length in seconds (365 days, i.e. approx. 1 year). includeSubDomains is not absolutely necessary unless the repository has alternative hostnames that are under the primary hostname (e.g. www.example.eprints.org is a secondary hostname for example.eprints.org). preload is only really useful if your repository is the root of a domain (e.g. eprints.org) is on browsers preload lists (e.g. [1]). This will make sure that even the first request for your repository is rewritten to HTTPS before being submitted by your visitor's web browser.
X-Frame-Options (Clickjacking)
Clickjacking is where someone embed your website (e.g. EPrints repository) within their website to trick you into clicking on something you would not normally click. Generally there is no good reaso to allow your repository to be embedded on another website, so the following line should be used.
Header always append X-Frame-Options SAMEORIGIN
This can be put in its own file under Apache's configuration directories, as it is best to make sure it is applied to all virtualhosts.
Permissions Policy
Permissions Policy (formerly known as Features Policy but using different syntax), is intended to set out what access your EPrints repository might need to certain peripherals / sensors / features your visitor's web browser might have access (e.g. webcam, microphone and geolocation). EPrints repositories do not generally need access to any of these but if your repository was compromised (e.g. someone uploaded some JavaScript that would be executed if a user requested a certain page), it is sensible to explicitly specify access is not required, so these peripherals/data could not be misused.
The following line states that your EPrints repository does not need access to a visitor's computer's camera, geolocation or microphone.
Header always set Permissions-Policy "camera=(), geolocation=(self 'HOST_URL'), microphone=()"
Make sure you update the HOST_URL with the primary hostname URL of your repository (e.g. https://example.eprints.org/). Like for Clickjacking protection line, this is best added to its own file under Apache's configuration directories, so it applies to all virtualhosts. New peripherals, sensors and features continue to be added to the Permissions Policy. The line above is only intended to cover the most significant. You can build your own permissions policy at https://www.permissionspolicy.com/ and update the above line as appropriate.