Skip to content

Commit

Permalink
Create new config section for web security settings (#2815)
Browse files Browse the repository at this point in the history
* Document the new config section
* Add a link to the correct config-file from settings.py
  • Loading branch information
hmpf authored Mar 1, 2024
1 parent ce80dcb commit 459cb29
Show file tree
Hide file tree
Showing 6 changed files with 76 additions and 0 deletions.
16 changes: 16 additions & 0 deletions NOTES.rst
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,22 @@ existing bug reports, go to https://github.com/uninett/nav/issues .
To see an overview of upcoming release milestones and the issues they resolve,
please go to https://github.com/uninett/nav/milestones .

NAV 5.9
=======

Web security
------------

While it is only relevant for older browsers, the HTTP header
``X-XSS-Protection`` is set to ``1; mode=block``. It does not affect browsers
that do not support it after all.

There's a new section in :file:`webfront/webfront.conf`, ``[security]``. When
running in production with SSL/TLS turned on, there's a new flag ``needs_tls``
that should also be toggled on. This'll turn on secure cookies (only sent over
SSL/TLS). See also the new howto
:doc:`Securing NAV in production </howto/securing-nav-in-production>`.

NAV 5.8
=======

Expand Down
1 change: 1 addition & 0 deletions doc/howto/index.rst
Original file line number Diff line number Diff line change
Expand Up @@ -19,3 +19,4 @@ Howtos
setting-up-logging
using_the_api
api_parameters
securing-nav-in-production
26 changes: 26 additions & 0 deletions doc/howto/securing-nav-in-production.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
==========================
Securing NAV in production
==========================

Overview
========

The default configuration of NAV is set up to work well during development, but
needs to be tightened when running in production.

NAV consists of pages controlled by NAV itself, and pages served directly by
the web server. Security features for NAV's own pages are controlled via the
``[security]``-section in the file :file:`webfront/webfront.conf`, while
security for the other pages are controlled directly by the web server.


SSL/TLS
=======

This needs to be turned on in the webserver itself. While there is no reason to
serve any of NAV without SSL/TLS turned off, it is especially important for the
pages controlled by NAV.

When the server serves NAV with SSL/TLS, ensure that the ``needs_tls``-flag in
the ``[security]``-section is set to ``yes``. This explicitly turns on secure
cookies, which is dependent on SSL being in use.
16 changes: 16 additions & 0 deletions python/nav/django/settings.py
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@
from nav.db import get_connection_parameters
import nav.buildconf
from nav.jwtconf import JWTConf
from nav.web.security import WebSecurityConfigParser

ALLOWED_HOSTS = ['*']

Expand Down Expand Up @@ -252,6 +253,21 @@
'nav.web.info.searchproviders.UnrecognizedNeighborSearchProvider',
]

## Web security options supported by Django
# * https://docs.djangoproject.com/en/3.2/ref/middleware/#module-django.middleware.security
# * https://docs.djangoproject.com/en/3.2/topics/http/sessions/
# * https://docs.djangoproject.com/en/3.2/ref/clickjacking/
#
# Configured in etc/webfront/webfront.conf:
# [security]
# needs_tls = yes

SECURE_BROWSER_XSS_FILTER = True # Does no harm

_websecurity_config = WebSecurityConfigParser()
_needs_tls = bool(_websecurity_config.getboolean('security', 'needs_tls'))
SESSION_COOKIE_SECURE = _needs_tls

# Hack for hackers to use features like debug_toolbar etc.
# https://code.djangoproject.com/wiki/SplitSettings (Rob Golding's method)
if _config_dir:
Expand Down
6 changes: 6 additions & 0 deletions python/nav/etc/webfront/webfront.conf
Original file line number Diff line number Diff line change
Expand Up @@ -130,3 +130,9 @@ enabled = no
# Some remote user systems need to be visited *after* NAV has logged the user
# out. The default/unset value is "/"
#post-logout-redirect-url=/magic/logout?nexthop=/

[security]
# Whether NAV must be run under TLS or not. Toggling this to `yes` toggles web
# security features that are only available with TLS/SSL enabled. In
# development mode this defaults to `no`.
# needs_tls = no
11 changes: 11 additions & 0 deletions python/nav/web/security.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
from pathlib import Path

from nav.config import NAVConfigParser


class WebSecurityConfigParser(NAVConfigParser):
DEFAULT_CONFIG_FILES = [str(Path('webfront') / 'webfront.conf')]
DEFAULT_CONFIG = u"""
[security]
needs_tls=no
"""

0 comments on commit 459cb29

Please sign in to comment.