##// END OF EJS Templates
env-variables: make it safer if there's a syntax problem inside .ini file....
env-variables: make it safer if there's a syntax problem inside .ini file. It's better to not crash, since it means server wont start. Let users fix problems instead of breaking the startup because of that.

File last commit:

r1:854a839a default
r3237:5cf82ecc default
Show More
sec-x-frame.rst
56 lines | 1.8 KiB | text/x-rst | RstLexer
project: added all source files and assets
r1 .. _x-frame:
Securing HTTPS Connections
--------------------------
* To secure your |RCE| instance against `Cross Frame Scripting`_ exploits, you
should configure your webserver ``x-frame-options`` setting.
* To configure your instance for `HTTP Strict Transport Security`_, you need to
configure the ``Strict-Transport-Security`` setting.
Nginx
^^^^^
In your nginx configuration, add the following lines in the correct files. For
more detailed information see the :ref:`nginx-ws-ref` section.
.. code-block:: nginx
# Add this line to the nginx.conf file
add_header X-Frame-Options SAMEORIGIN;
# This line needs to be added inside your virtual hosts block/file
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
Apache
^^^^^^
In your :file:`apache2.conf` file, add the following line. For more detailed
information see the :ref:`apache-ws-ref` section.
.. code-block:: apache
# Add this to your virtual hosts file
Header always append X-Frame-Options SAMEORIGIN
# Add this line in your virtual hosts file
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
|RCE| Configuration
^^^^^^^^^^^^^^^^^^^
|RCE| can also be configured to force strict *https* connections and Strict
Transport Security. To set this, configure the following options to ``true``
in the :file:`/home/{user}/.rccontrol/{instance-id}/rhodecode.ini` file.
.. code-block:: ini
## force https in RhodeCode, fixes https redirects, assumes it's always https
force_https = false
## use Strict-Transport-Security headers
use_htsts = false
.. _Cross Frame Scripting: https://www.owasp.org/index.php/Cross_Frame_Scripting
.. _HTTP Strict Transport Security: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security