.. _x-frame:

Securing HTTPS Connections
--------------------------

* To secure your |RCE| instance against `Cross Frame Scripting`_ exploits, you
  should configure your webserver ``x-frame-options`` setting.

* To configure your instance for `HTTP Strict Transport Security`_, you need to
  configure the ``Strict-Transport-Security`` setting.

Nginx
^^^^^

In your nginx configuration, add the following lines in the correct files. For
more detailed information see the :ref:`nginx-ws-ref` section.

.. code-block:: nginx

    # Add this line to the nginx.conf file
    add_header X-Frame-Options SAMEORIGIN;

    # This line needs to be added inside your virtual hosts block/file
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

Apache
^^^^^^

In your :file:`apache2.conf` file, add the following line. For more detailed
information see the :ref:`apache-ws-ref` section.

.. code-block:: apache

    # Add this to your virtual hosts file
    Header always append X-Frame-Options SAMEORIGIN

    # Add this line in your virtual hosts file
    Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"

|RCE| Configuration
^^^^^^^^^^^^^^^^^^^

|RCE| can also be configured to force strict *https* connections and Strict
Transport Security. To set this, configure the following options to ``true``
in the :file:`config/_shared/rhodecode.ini` file.

.. code-block:: ini

    ## force https in RhodeCode, fixes https redirects, assumes it's always https
    force_https = false

    ## use Strict-Transport-Security headers
    use_htsts = false


.. _Cross Frame Scripting: https://www.owasp.org/index.php/Cross_Frame_Scripting
.. _HTTP Strict Transport Security: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security