rhodecode-enterprise-ce Files · docs/admin/sec-x-frame.rst

docs: added release notes for 4.22.0

marcink - - Load All Authors

File last commit:

r1:854a839a default


                r4521:a111f355

stable

Download file

             sec-x-frame.rst
        
                    56 lines
            
             | 1.8 KiB
            
                | text/x-rst
            
             |
                RstLexer
            
             / docs / admin / sec-x-frame.rst
          
                    History
                
                 |
                  Source
                 | Raw
                 |Copy content
                 |Copy permalink

        marcink
    
project: added all source files and assets

              r1
            
      .. _x-frame:

      Securing HTTPS Connections

      --------------------------

      * To secure your |RCE| instance against `Cross Frame Scripting`_ exploits, you

        should configure your webserver ``x-frame-options`` setting.

      * To configure your instance for `HTTP Strict Transport Security`_, you need to

        configure the ``Strict-Transport-Security`` setting.

      Nginx

      ^^^^^

      In your nginx configuration, add the following lines in the correct files. For

      more detailed information see the :ref:`nginx-ws-ref` section.

      .. code-block:: nginx

          # Add this line to the nginx.conf file

          add_header X-Frame-Options SAMEORIGIN;

          # This line needs to be added inside your virtual hosts block/file

          add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

      Apache

      ^^^^^^

      In your :file:`apache2.conf` file, add the following line. For more detailed

      information see the :ref:`apache-ws-ref` section.

      .. code-block:: apache

          # Add this to your virtual hosts file

          Header always append X-Frame-Options SAMEORIGIN

          # Add this line in your virtual hosts file

          Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"

      |RCE| Configuration

      ^^^^^^^^^^^^^^^^^^^

      |RCE| can also be configured to force strict *https* connections and Strict

      Transport Security. To set this, configure the following options to ``true``

      in the :file:`/home/{user}/.rccontrol/{instance-id}/rhodecode.ini` file.

      .. code-block:: ini

          ## force https in RhodeCode, fixes https redirects, assumes it's always https

          force_https = false

          ## use Strict-Transport-Security headers

          use_htsts = false

      .. _Cross Frame Scripting: https://www.owasp.org/index.php/Cross_Frame_Scripting

      .. _HTTP Strict Transport Security: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

marcink project: added all source files and assets	r1	.. _x-frame:

		Securing HTTPS Connections
		--------------------------

		* To secure your \|RCE\| instance against `Cross Frame Scripting`_ exploits, you
		should configure your webserver ``x-frame-options`` setting.

		* To configure your instance for `HTTP Strict Transport Security`_, you need to
		configure the ``Strict-Transport-Security`` setting.

		Nginx
		^^^^^

		In your nginx configuration, add the following lines in the correct files. For
		more detailed information see the :ref:`nginx-ws-ref` section.

		.. code-block:: nginx

		# Add this line to the nginx.conf file
		add_header X-Frame-Options SAMEORIGIN;

		# This line needs to be added inside your virtual hosts block/file
		add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

		Apache
		^^^^^^

		In your :file:`apache2.conf` file, add the following line. For more detailed
		information see the :ref:`apache-ws-ref` section.

		.. code-block:: apache

		# Add this to your virtual hosts file
		Header always append X-Frame-Options SAMEORIGIN

		# Add this line in your virtual hosts file
		Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"

		\|RCE\| Configuration
		^^^^^^^^^^^^^^^^^^^

		\|RCE\| can also be configured to force strict https connections and Strict
		Transport Security. To set this, configure the following options to ``true``
		in the :file:`/home/{user}/.rccontrol/{instance-id}/rhodecode.ini` file.

		.. code-block:: ini

		## force https in RhodeCode, fixes https redirects, assumes it's always https
		force_https = false

		## use Strict-Transport-Security headers
		use_htsts = false


		.. _Cross Frame Scripting: https://www.owasp.org/index.php/Cross_Frame_Scripting
		.. _HTTP Strict Transport Security: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security