##// END OF EJS Templates
threading: Add factory that creates curl session for each thread....
threading: Add factory that creates curl session for each thread. When creating a repo with an import url pointing to another repo on the same enterprise instance we call the vcssserver to check the url. The vcsserver then calls to enterprise to verify the url. This leads to two threads using the same cur session.

File last commit:

r1:854a839a default
r243:dae685be default
Show More
sec-x-frame.rst
56 lines | 1.8 KiB | text/x-rst | RstLexer
project: added all source files and assets
r1 .. _x-frame:
Securing HTTPS Connections
--------------------------
* To secure your |RCE| instance against `Cross Frame Scripting`_ exploits, you
should configure your webserver ``x-frame-options`` setting.
* To configure your instance for `HTTP Strict Transport Security`_, you need to
configure the ``Strict-Transport-Security`` setting.
Nginx
^^^^^
In your nginx configuration, add the following lines in the correct files. For
more detailed information see the :ref:`nginx-ws-ref` section.
.. code-block:: nginx
# Add this line to the nginx.conf file
add_header X-Frame-Options SAMEORIGIN;
# This line needs to be added inside your virtual hosts block/file
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
Apache
^^^^^^
In your :file:`apache2.conf` file, add the following line. For more detailed
information see the :ref:`apache-ws-ref` section.
.. code-block:: apache
# Add this to your virtual hosts file
Header always append X-Frame-Options SAMEORIGIN
# Add this line in your virtual hosts file
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
|RCE| Configuration
^^^^^^^^^^^^^^^^^^^
|RCE| can also be configured to force strict *https* connections and Strict
Transport Security. To set this, configure the following options to ``true``
in the :file:`/home/{user}/.rccontrol/{instance-id}/rhodecode.ini` file.
.. code-block:: ini
## force https in RhodeCode, fixes https redirects, assumes it's always https
force_https = false
## use Strict-Transport-Security headers
use_htsts = false
.. _Cross Frame Scripting: https://www.owasp.org/index.php/Cross_Frame_Scripting
.. _HTTP Strict Transport Security: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security