Securing HTTPS Connections
- To secure your |RCE| instance against Cross Frame Scripting exploits, you should configure your webserver x-frame-options setting.
- To configure your instance for HTTP Strict Transport Security, you need to configure the Strict-Transport-Security setting.
Nginx
In your nginx configuration, add the following lines in the correct files. For more detailed information see the :ref:`nginx-ws-ref` section.
# Add this line to the nginx.conf file add_header X-Frame-Options SAMEORIGIN; # This line needs to be added inside your virtual hosts block/file add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
Apache
In your :file:`apache2.conf` file, add the following line. For more detailed information see the :ref:`apache-ws-ref` section.
# Add this to your virtual hosts file Header always append X-Frame-Options SAMEORIGIN # Add this line in your virtual hosts file Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
|RCE| Configuration
|RCE| can also be configured to force strict https connections and Strict Transport Security. To set this, configure the following options to true in the :file:`config/_shared/rhodecode.ini` file.
## force https in RhodeCode, fixes https redirects, assumes it's always https force_https = false ## use Strict-Transport-Security headers use_htsts = false