Security Headers #854
Comments
|
I like the idea, and hate the idea of an F!!! Hey @PinpointTownes and @jersiovic - as the chaps that did the security side of things so far, what do you think? I know you both would hate having an F! |
|
+1 to move up. So, please go for that PR |
|
Sounds like a very good idea, indeed 👍 That said, please consider leveraging an existing library instead of reinventing the wheel. I personally use NWebsec for all my projects (https://github.com/NWebsec/NWebsec/tree/master/src/NWebsec.AspNetCore.Middleware), but there are other projects like https://github.com/TerribleDev/HardHat or https://github.com/andrewlock/NetEscapades.AspNetCore.SecurityHeaders that can help you with that. The hard part will be making all that stuff not too confusing/too hard to use for the developers. Specially since an invalid configuration can lead to terrible consequences 😅 |
|
hey @jrestall Did you manage to make any head way with this? |
|
I guess we should decide where to store such configuration in Config file or Db. I'm thinking about multiple proposals
I think in this case 2nd approach will be better. cc: @sebastienros |
|
I think we can handle it with a single, specialized module, don't need for extensibility here. Just settings to enable specific properties. |
|
As mentioned in #1277, we should have this as features in the same Security module. Another solution is to have a single feature with a single configuration page, and suggest to users that they should check everything. Bonus points if the settings point to articles about why the setting is important. I am setting the milestone to beta2. |
|
/cc @petedavis |
|
Using cloudflare as an example, clicking enable HSTS should come with some level of acknowledgement before enabling it on a site: And we should try and configure the middle ware with from settings: |
|
But we set HSTS when the "force https" option is set, isn't that good enough? |
|
Having HSTS enabled by default and a zero max-age is missing some of the main benefits of HSTS. Knowing that you cannot disable HTTPS support until HSTS is disabled, and the HSTS max age expires should be known. And then max age can be used effectively as people should understand this is on and cant be turned of like a switch like just HTTPS can. |
|
I am currently configuring a deployment of Orchard and attempted to implement a CSP for it. I found some issues that need to be addressed. I wanted to force these headers to all tenants, so a module would not be useful for my use case.
Using the https://github.com/andrewlock/NetEscapades.AspNetCore.SecurityHeaders package. using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.Extensions.DependencyInjection;
namespace web
{
public class Startup
{
public void ConfigureServices(IServiceCollection services)
{
services.AddOrchardCms();
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
var policyCollection = new HeaderPolicyCollection()
.AddFrameOptionsSameOrigin()
.AddXssProtectionBlock()
.AddContentTypeOptionsNoSniff()
.AddReferrerPolicyStrictOriginWhenCrossOrigin()
.RemoveServerHeader()
.AddContentSecurityPolicy(builder =>
{
builder.AddObjectSrc().Self();
builder.AddFormAction().Self();
builder.AddFrameAncestors().Self();
builder.AddDefaultSrc().Self();
builder.AddFontSrc().Self().From("cdn.jsdelivr.net").From("fonts.googleapis.com").From("fonts.gstatic.com");
builder.AddStyleSrc().UnsafeInline().Self().From("cdn.jsdelivr.net").From("fonts.googleapis.com").From("cdn.datatables.net")
.From("unpkg.com")
.From("cdnjs.cloudflare.com")
;
// unsafe-evail needed for vue.js runtime templates
builder.AddScriptSrc().UnsafeEval().UnsafeInline().Self()
.From("cdn.jsdelivr.net").From("cdn.datatables.net").From("cdnjs.cloudflare.com").From("vuejs.org")
.From("unpkg.com")
.From("cdnjs.cloudflare.com")
;
});
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
} else
{
policyCollection.AddStrictTransportSecurityMaxAgeIncludeSubDomains(maxAgeInSeconds: 60 * 60 * 24 * 365); // maxage = one year in seconds
}
app.UseSecurityHeaders(policyCollection)
.UsePoweredByOrchardCore(false)
.UseStaticFiles()
.UseOrchardCore(builder=>builder
.UsePoweredByOrchardCore(false)
.UseCookiePolicy(new CookiePolicyOptions()
{
HttpOnly = Microsoft.AspNetCore.CookiePolicy.HttpOnlyPolicy.Always,
Secure = Microsoft.AspNetCore.Http.CookieSecurePolicy.SameAsRequest
})
);
}
}
}Edit: Some of the issues I mentionned might be fixed when this lands: dotnet/aspnetcore#6001 |
|
@sebastienros shall we add this as a middleware, something similar to |
@sebastienros shall we add new module for that |
|
If we have a security module use it, I think we have one. Dedicated feature might be nice. |
Where? Do you mean |
|
If we just have an https module, we could create a security one and move the https feature there |
|
Make sense, but for now we can introduce a Security module, then add HTTPs as feature before release |
|
The
Perhaps there are few features related to @Piedone your feedback please I'm planning to start a PR soon ... |
|
What does https://securityheaders.com/ say? |
|
https://securityheaders.com/?q=https%3A%2F%2Forchardcore.net%2F states the following:
|
|
So, I think the goal should be that a vanilla Orchard site gives a flawless score with the extension, with corresponding docs on the necessary setup. |
|
Few of them are optional, so can we add the above list as features or we they should be added once the module is enabled with no option to toggle them? I think make them as features is a very good choice
We could enable this module on setup |
|
Have a look at this: Maybe a good starting point. |
|
@hishamco good, watching |
|
Adding those header as features are good and bad because the intend to make the default OC site supports those header. So, I will leave this for now |
1 similar comment
This comment was marked as duplicate.
This comment was marked as duplicate.
|
I don't really understand what you mean by "So, I will leave this for now" |
|
My intend at the beginning to add these header as separated feature, so they can be enabled or disabled, but this conflict with the original issue where the header should be present What I did in the related PR is add the headers when the module is enabled (which should be always enabled) |
|
BTW @Piedone seems the extension that you refer to is working only for a live site, for that my testing is to check the response header |
|
@sebastienros once we're done here, it would be great if some security expert from your team could also test it while it's running (no need for a detailed code review but that would be even better). |
|
I already checked the response headers, everything seems works as expected, also I may look for an extension for test this too |
|
@jrestall finally ;)
|
|
@hishamco Haha that's epic to see this complete after 5 years, really nice job! 🎉 |
|
It happens ;) you remind me with one of my PR which take two years or more to get merged |
Hi guys,
What are your thoughts on implementing the best practice security headers out of the box in Orchard? We don't necessarily need to have them enabled by default but I was thinking a config switch might be helpful to users of the CMS and developers using the framework.
https://securityheaders.io/ would give us an F rating currently which I'd like to move up.
These are the ones we are currently missing support for:
In addition I would recommend removing the Kestrel Server header and IIS X-Powered-By. I could submit a pull request with the web.config changes for IIS and the AddServerHeader = false for Kestrel.
For the other headers I could create a middleware in the Security module and have a new SecurityHeaderOptions class so that they could be toggled and configured from appsettings.json?
Feedback would be needed on sensible default values and which to toggle on by default.
Please let me know if there is interest in this and thoughts on the technical design and source location of such functionality.
The text was updated successfully, but these errors were encountered: