diff --git a/NOTES.rst b/NOTES.rst index e4d60b4584..f33a5356d0 100644 --- a/NOTES.rst +++ b/NOTES.rst @@ -8,6 +8,22 @@ existing bug reports, go to https://github.com/uninett/nav/issues . To see an overview of upcoming release milestones and the issues they resolve, please go to https://github.com/uninett/nav/milestones . +NAV 5.9 +======= + +Web security +------------ + +While it is only relevant for older browsers, the HTTP header +``X-XSS-Protection`` is set to ``1; mode=block``. It does not affect browsers +that do not support it after all. + +There's a new section in :file:`webfront/webfront.conf`, ``[security]``. When +running in production with SSL/TLS turned on, there's a new flag ``needs_tls`` +that should also be toggled on. This'll turn on secure cookies (only sent over +SSL/TLS). See also the new howto +:doc:`Securing NAV in production `. + NAV 5.8 ======= diff --git a/doc/howto/index.rst b/doc/howto/index.rst index 4369b4f994..9e45bd2fbd 100644 --- a/doc/howto/index.rst +++ b/doc/howto/index.rst @@ -19,3 +19,4 @@ Howtos setting-up-logging using_the_api api_parameters + securing-nav-in-production diff --git a/doc/howto/securing-nav-in-production.rst b/doc/howto/securing-nav-in-production.rst new file mode 100644 index 0000000000..f53774a3c8 --- /dev/null +++ b/doc/howto/securing-nav-in-production.rst @@ -0,0 +1,26 @@ +========================== +Securing NAV in production +========================== + +Overview +======== + +The default configuration of NAV is set up to work well during development, but +needs to be tightened when running in production. + +NAV consists of pages controlled by NAV itself, and pages served directly by +the web server. Security features for NAV's own pages are controlled via the +``[security]``-section in the file :file:`webfront/webfront.conf`, while +security for the other pages are controlled directly by the web server. + + +SSL/TLS +======= + +This needs to be turned on in the webserver itself. While there is no reason to +serve any of NAV without SSL/TLS turned off, it is especially important for the +pages controlled by NAV. + +When the server serves NAV with SSL/TLS, ensure that the ``needs_tls``-flag in +the ``[security]``-section is set to ``yes``. This explicitly turns on secure +cookies, which is dependent on SSL being in use. diff --git a/python/nav/django/settings.py b/python/nav/django/settings.py index 1847ec24ca..dfd3e33251 100644 --- a/python/nav/django/settings.py +++ b/python/nav/django/settings.py @@ -29,6 +29,7 @@ from nav.db import get_connection_parameters import nav.buildconf from nav.jwtconf import JWTConf +from nav.web.security import WebSecurityConfigParser ALLOWED_HOSTS = ['*'] @@ -252,6 +253,21 @@ 'nav.web.info.searchproviders.UnrecognizedNeighborSearchProvider', ] +## Web security options supported by Django +# * https://docs.djangoproject.com/en/3.2/ref/middleware/#module-django.middleware.security +# * https://docs.djangoproject.com/en/3.2/topics/http/sessions/ +# * https://docs.djangoproject.com/en/3.2/ref/clickjacking/ +# +# Configured in etc/webfront/webfront.conf: +# [security] +# needs_tls = yes + +SECURE_BROWSER_XSS_FILTER = True # Does no harm + +_websecurity_config = WebSecurityConfigParser() +_needs_tls = bool(_websecurity_config.getboolean('security', 'needs_tls')) +SESSION_COOKIE_SECURE = _needs_tls + # Hack for hackers to use features like debug_toolbar etc. # https://code.djangoproject.com/wiki/SplitSettings (Rob Golding's method) if _config_dir: diff --git a/python/nav/etc/webfront/webfront.conf b/python/nav/etc/webfront/webfront.conf index 302aaa1774..ab104db44f 100644 --- a/python/nav/etc/webfront/webfront.conf +++ b/python/nav/etc/webfront/webfront.conf @@ -130,3 +130,9 @@ enabled = no # Some remote user systems need to be visited *after* NAV has logged the user # out. The default/unset value is "/" #post-logout-redirect-url=/magic/logout?nexthop=/ + +[security] +# Whether NAV must be run under TLS or not. Toggling this to `yes` toggles web +# security features that are only available with TLS/SSL enabled. In +# development mode this defaults to `no`. +# needs_tls = no diff --git a/python/nav/web/security.py b/python/nav/web/security.py new file mode 100644 index 0000000000..cb3d64cce4 --- /dev/null +++ b/python/nav/web/security.py @@ -0,0 +1,11 @@ +from pathlib import Path + +from nav.config import NAVConfigParser + + +class WebSecurityConfigParser(NAVConfigParser): + DEFAULT_CONFIG_FILES = [str(Path('webfront') / 'webfront.conf')] + DEFAULT_CONFIG = u""" +[security] +needs_tls=no +"""