commit: aa9c49838c8eb6ad91bc278c91848cd94cfebe8c
parent fd263ac1eb9157a0a060df16e3bddd8fb07a68ed
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date: Thu, 16 Feb 2017 15:44:01 +0100
antisèche-nginx: stapling + cache + Security Headers
Diffstat:
1 file changed, 10 insertions(+), 0 deletions(-)
diff --git a/antisèche-nginx.shtml b/antisèche-nginx.shtml
@@ -41,8 +41,18 @@ server {
ssl_protocols +TLSv1.2 -TLSv1.1 -TLSv1 -SSLv3 -SSLv2; # POODLE sur ≤TLS1.1
ssl_dhparam ssl/dhparam.pem; # “openssl dhparam -out dhparam.pem 2048” (4096 est <strong>très</strong> long)
ssl_dhparam secp384r1:secp521r1; # if("failed: unknown curve"): ssl_dhparam secp384r1;
+ ssl_stapling on;
+ ssl_stapling_verify on;
+ ssl_session_cache shared:SSL:10m;
+ ssl_session_timeout 10m;
add_header <a href="https://fr.wikipedia.org/wiki/HTTP_Strict_Transport_Security">Strict-Transport-Security</a> 'max-age=15768000;includeSubDomains'; # Garder l’https pendant 6 mois et inclure les sous-domaines
add_header <a href="https://fr.wikipedia.org/wiki/HTTP_Public_Key_Pinning">Public-Key-Pins</a> 'pin-sha256="vOs/I6cJeaMzFkoEpscUvF/ahXvr7Cn4gDT7xTfhz+I="; max-age=5184000; includeSubDomains; report-uri="https://example.tld/report"'; # Garder en mémoire la signature de la clé publique pendant 60 jours et inclure les sous-domaines et rapport d’erreurs à https://example.tld/report
+
+ # <a href="https://wiki.mozilla.org/Security/Guidelines/Web_Security#Content_Security_Policy">https://wiki.mozilla.org/Security/Guidelines/Web_Security#Content_Security_Policy</a>
+ add_header X-Frame-Options "DENY"; # Deny framing
+ add_header X-Content-Type-Options "nosniff";
+ add_header X-XSS-Protection "1; mode=block";
+ add_header Content-Security-Policy "default-src 'none'; script-src 'none'; style-src 'self'; img-src 'self' 'unsafe-inline' https://framapic.org:443;";
}</code></pre>
<pre><code># /etc/nginx/assemblee.conf
deny 62.160.71.0/24; # NETNAME: FR-PRESIDENCE-DE-LA-REPUBLIQUE
