rhodecode-enterprise-ce Files · docs/admin/sec-x-frame.rst

pull-requests: increase stability of concurrent pull requests creation by flushing prematurly the statuses of commits....

pull-requests: increase stability of concurrent pull requests creation by flushing prematurly the statuses of commits. This is required to increase the versions on each concurrent call. Otherwise we could get into an integrity errors of commitsha+version+repo

marcink - - Load All Authors

File last commit:

r1:854a839a default


                r3408:2a133f7e

stable

Download file

             sec-x-frame.rst
        
                    56 lines
            
             | 1.8 KiB
            
                | text/x-rst
            
             |
                RstLexer
            
             / docs / admin / sec-x-frame.rst
          
                    History
                
                 |
                  Source
                 | Raw
                 |Copy content
                 |Copy permalink

        marcink
    
project: added all source files and assets

              r1
            
      .. _x-frame:

      Securing HTTPS Connections

      --------------------------

      * To secure your |RCE| instance against `Cross Frame Scripting`_ exploits, you

        should configure your webserver ``x-frame-options`` setting.

      * To configure your instance for `HTTP Strict Transport Security`_, you need to

        configure the ``Strict-Transport-Security`` setting.

      Nginx

      ^^^^^

      In your nginx configuration, add the following lines in the correct files. For

      more detailed information see the :ref:`nginx-ws-ref` section.

      .. code-block:: nginx

          # Add this line to the nginx.conf file

          add_header X-Frame-Options SAMEORIGIN;

          # This line needs to be added inside your virtual hosts block/file

          add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

      Apache

      ^^^^^^

      In your :file:`apache2.conf` file, add the following line. For more detailed

      information see the :ref:`apache-ws-ref` section.

      .. code-block:: apache

          # Add this to your virtual hosts file

          Header always append X-Frame-Options SAMEORIGIN

          # Add this line in your virtual hosts file

          Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"

      |RCE| Configuration

      ^^^^^^^^^^^^^^^^^^^

      |RCE| can also be configured to force strict *https* connections and Strict

      Transport Security. To set this, configure the following options to ``true``

      in the :file:`/home/{user}/.rccontrol/{instance-id}/rhodecode.ini` file.

      .. code-block:: ini

          ## force https in RhodeCode, fixes https redirects, assumes it's always https

          force_https = false

          ## use Strict-Transport-Security headers

          use_htsts = false

      .. _Cross Frame Scripting: https://www.owasp.org/index.php/Cross_Frame_Scripting

      .. _HTTP Strict Transport Security: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

marcink project: added all source files and assets	r1	.. _x-frame:

		Securing HTTPS Connections
		--------------------------

		* To secure your \|RCE\| instance against `Cross Frame Scripting`_ exploits, you
		should configure your webserver ``x-frame-options`` setting.

		* To configure your instance for `HTTP Strict Transport Security`_, you need to
		configure the ``Strict-Transport-Security`` setting.

		Nginx
		^^^^^

		In your nginx configuration, add the following lines in the correct files. For
		more detailed information see the :ref:`nginx-ws-ref` section.

		.. code-block:: nginx

		# Add this line to the nginx.conf file
		add_header X-Frame-Options SAMEORIGIN;

		# This line needs to be added inside your virtual hosts block/file
		add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

		Apache
		^^^^^^

		In your :file:`apache2.conf` file, add the following line. For more detailed
		information see the :ref:`apache-ws-ref` section.

		.. code-block:: apache

		# Add this to your virtual hosts file
		Header always append X-Frame-Options SAMEORIGIN

		# Add this line in your virtual hosts file
		Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"

		\|RCE\| Configuration
		^^^^^^^^^^^^^^^^^^^

		\|RCE\| can also be configured to force strict https connections and Strict
		Transport Security. To set this, configure the following options to ``true``
		in the :file:`/home/{user}/.rccontrol/{instance-id}/rhodecode.ini` file.

		.. code-block:: ini

		## force https in RhodeCode, fixes https redirects, assumes it's always https
		force_https = false

		## use Strict-Transport-Security headers
		use_htsts = false


		.. _Cross Frame Scripting: https://www.owasp.org/index.php/Cross_Frame_Scripting
		.. _HTTP Strict Transport Security: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security