Show More
sec-x-frame.rst
56 lines
| 1.8 KiB
| text/x-rst
|
RstLexer
r1 | .. _x-frame: | ||
Securing HTTPS Connections | |||
-------------------------- | |||
* To secure your |RCE| instance against `Cross Frame Scripting`_ exploits, you | |||
should configure your webserver ``x-frame-options`` setting. | |||
* To configure your instance for `HTTP Strict Transport Security`_, you need to | |||
configure the ``Strict-Transport-Security`` setting. | |||
Nginx | |||
^^^^^ | |||
In your nginx configuration, add the following lines in the correct files. For | |||
more detailed information see the :ref:`nginx-ws-ref` section. | |||
.. code-block:: nginx | |||
# Add this line to the nginx.conf file | |||
add_header X-Frame-Options SAMEORIGIN; | |||
# This line needs to be added inside your virtual hosts block/file | |||
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; | |||
Apache | |||
^^^^^^ | |||
In your :file:`apache2.conf` file, add the following line. For more detailed | |||
information see the :ref:`apache-ws-ref` section. | |||
.. code-block:: apache | |||
# Add this to your virtual hosts file | |||
Header always append X-Frame-Options SAMEORIGIN | |||
# Add this line in your virtual hosts file | |||
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" | |||
|RCE| Configuration | |||
^^^^^^^^^^^^^^^^^^^ | |||
|RCE| can also be configured to force strict *https* connections and Strict | |||
Transport Security. To set this, configure the following options to ``true`` | |||
in the :file:`/home/{user}/.rccontrol/{instance-id}/rhodecode.ini` file. | |||
.. code-block:: ini | |||
## force https in RhodeCode, fixes https redirects, assumes it's always https | |||
force_https = false | |||
## use Strict-Transport-Security headers | |||
use_htsts = false | |||
.. _Cross Frame Scripting: https://www.owasp.org/index.php/Cross_Frame_Scripting | |||
.. _HTTP Strict Transport Security: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security |