##// END OF EJS Templates
release: merge back stable branch into default
r1642:bdf7d7ec merge default
Show More
sec-x-frame.rst
56 lines | 1.8 KiB | text/x-rst | RstLexer
project: added all source files and assets
r1 .. _x-frame:
Securing HTTPS Connections
--------------------------
* To secure your |RCE| instance against `Cross Frame Scripting`_ exploits, you
should configure your webserver ``x-frame-options`` setting.
* To configure your instance for `HTTP Strict Transport Security`_, you need to
configure the ``Strict-Transport-Security`` setting.
Nginx
^^^^^
In your nginx configuration, add the following lines in the correct files. For
more detailed information see the :ref:`nginx-ws-ref` section.
.. code-block:: nginx
# Add this line to the nginx.conf file
add_header X-Frame-Options SAMEORIGIN;
# This line needs to be added inside your virtual hosts block/file
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
Apache
^^^^^^
In your :file:`apache2.conf` file, add the following line. For more detailed
information see the :ref:`apache-ws-ref` section.
.. code-block:: apache
# Add this to your virtual hosts file
Header always append X-Frame-Options SAMEORIGIN
# Add this line in your virtual hosts file
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
|RCE| Configuration
^^^^^^^^^^^^^^^^^^^
|RCE| can also be configured to force strict *https* connections and Strict
Transport Security. To set this, configure the following options to ``true``
in the :file:`/home/{user}/.rccontrol/{instance-id}/rhodecode.ini` file.
.. code-block:: ini
## force https in RhodeCode, fixes https redirects, assumes it's always https
force_https = false
## use Strict-Transport-Security headers
use_htsts = false
.. _Cross Frame Scripting: https://www.owasp.org/index.php/Cross_Frame_Scripting
.. _HTTP Strict Transport Security: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security