u/pc/rhodecode-enterprise-ce-fork-pc Files · docs/admin/sec-x-frame.rst

auth: don't break hashing in case of user with empty password....

auth: don't break hashing in case of user with empty password. In some cases such as LDAP user created via external scripts users might set the passwords to empty. The hashing uses the md5(password_hash) to store reference to detect password changes and forbid using the same password. In case of pure LDAP users this is not valid, and we shouldn't raise Errors in such case. This change makes it work for empty passwords now.

marcink - - Load All Authors

File last commit:

r1:854a839a default


                r2203:8a18c3c3

default

Download file

             sec-x-frame.rst
        
                    56 lines
            
             | 1.8 KiB
            
                | text/x-rst
            
             |
                RstLexer
            
             / docs / admin / sec-x-frame.rst
          
                    History
                
                 |
                  Source
                 | Raw
                 |Copy content
                 |Copy permalink

        marcink
    
project: added all source files and assets

              r1
            
      .. _x-frame:

      Securing HTTPS Connections

      --------------------------

      * To secure your |RCE| instance against `Cross Frame Scripting`_ exploits, you

        should configure your webserver ``x-frame-options`` setting.

      * To configure your instance for `HTTP Strict Transport Security`_, you need to

        configure the ``Strict-Transport-Security`` setting.

      Nginx

      ^^^^^

      In your nginx configuration, add the following lines in the correct files. For

      more detailed information see the :ref:`nginx-ws-ref` section.

      .. code-block:: nginx

          # Add this line to the nginx.conf file

          add_header X-Frame-Options SAMEORIGIN;

          # This line needs to be added inside your virtual hosts block/file

          add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

      Apache

      ^^^^^^

      In your :file:`apache2.conf` file, add the following line. For more detailed

      information see the :ref:`apache-ws-ref` section.

      .. code-block:: apache

          # Add this to your virtual hosts file

          Header always append X-Frame-Options SAMEORIGIN

          # Add this line in your virtual hosts file

          Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"

      |RCE| Configuration

      ^^^^^^^^^^^^^^^^^^^

      |RCE| can also be configured to force strict *https* connections and Strict

      Transport Security. To set this, configure the following options to ``true``

      in the :file:`/home/{user}/.rccontrol/{instance-id}/rhodecode.ini` file.

      .. code-block:: ini

          ## force https in RhodeCode, fixes https redirects, assumes it's always https

          force_https = false

          ## use Strict-Transport-Security headers

          use_htsts = false

      .. _Cross Frame Scripting: https://www.owasp.org/index.php/Cross_Frame_Scripting

      .. _HTTP Strict Transport Security: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

marcink project: added all source files and assets	r1	.. _x-frame:

		Securing HTTPS Connections
		--------------------------

		* To secure your \|RCE\| instance against `Cross Frame Scripting`_ exploits, you
		should configure your webserver ``x-frame-options`` setting.

		* To configure your instance for `HTTP Strict Transport Security`_, you need to
		configure the ``Strict-Transport-Security`` setting.

		Nginx
		^^^^^

		In your nginx configuration, add the following lines in the correct files. For
		more detailed information see the :ref:`nginx-ws-ref` section.

		.. code-block:: nginx

		# Add this line to the nginx.conf file
		add_header X-Frame-Options SAMEORIGIN;

		# This line needs to be added inside your virtual hosts block/file
		add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

		Apache
		^^^^^^

		In your :file:`apache2.conf` file, add the following line. For more detailed
		information see the :ref:`apache-ws-ref` section.

		.. code-block:: apache

		# Add this to your virtual hosts file
		Header always append X-Frame-Options SAMEORIGIN

		# Add this line in your virtual hosts file
		Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"

		\|RCE\| Configuration
		^^^^^^^^^^^^^^^^^^^

		\|RCE\| can also be configured to force strict https connections and Strict
		Transport Security. To set this, configure the following options to ``true``
		in the :file:`/home/{user}/.rccontrol/{instance-id}/rhodecode.ini` file.

		.. code-block:: ini

		## force https in RhodeCode, fixes https redirects, assumes it's always https
		force_https = false

		## use Strict-Transport-Security headers
		use_htsts = false


		.. _Cross Frame Scripting: https://www.owasp.org/index.php/Cross_Frame_Scripting
		.. _HTTP Strict Transport Security: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security