logo

pleroma

My custom branche(s) on git.pleroma.social/pleroma/pleroma git clone https://hacktivis.me/git/pleroma.git

hardening.md (4262B)

    

  1. # Hardening your instance
  2. Here are some suggestions which improve the security of parts of your Pleroma instance.
  4. ## Configuration file
  6. These changes should go into `prod.secret.exs` or `dev.secret.exs`, depending on your `MIX_ENV` value.
  8. ### `http`
  10. > Recommended value: `[ip: {127, 0, 0, 1}]`
  12. This sets the Pleroma application server to only listen to the localhost interface. This way, you can only reach your server over the Internet by going through the reverse proxy. By default, Pleroma listens on all interfaces.
  14. ### `secure_cookie_flag`
  16. > Recommended value: `true`
  18. This sets the `secure` flag on Pleroma’s session cookie. This makes sure, that the cookie is only accepted over encrypted HTTPs connections. This implicitly renames the cookie from `pleroma_key` to `__Host-pleroma-key` which enforces some restrictions. (see [cookie prefixes](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#Cookie_prefixes))
  20. ### `:http_security`
  22. > Recommended value: `true`
  24. This will send additional HTTP security headers to the clients, including:
  26. * `X-XSS-Protection: "1; mode=block"`
  27. * `X-Permitted-Cross-Domain-Policies: "none"`
  28. * `X-Frame-Options: "DENY"`
  29. * `X-Content-Type-Options: "nosniff"`
  30. * `X-Download-Options: "noopen"`
  32. A content security policy (CSP) will also be set:
  34. ```csp
  35. content-security-policy:
  36.   default-src 'none';
  37.   base-uri 'self';
  38.   frame-ancestors 'none';
  39.   img-src 'self' data: blob: https:;
  40.   media-src 'self' https:;
  41.   style-src 'self' 'unsafe-inline';
  42.   font-src 'self';
  43.   script-src 'self';
  44.   connect-src 'self' wss://example.tld;
  45.   manifest-src 'self';
  46.   upgrade-insecure-requests;
  47. ```
  49. #### `sts`
  51. > Recommended value: `true`
  53. An additional “Strict transport security” header will be sent with the configured `sts_max_age` parameter. This tells the browser, that the domain should only be accessed over a secure HTTPs connection.
  55. #### `ct_max_age`
  57. An additional “Expect-CT” header will be sent with the configured `ct_max_age` parameter. This enforces the use of TLS certificates that are published in the certificate transparency log. (see [Expect-CT](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT))
  59. #### `referrer_policy`
  61. > Recommended value: `same-origin`
  63. If you click on a link, your browser’s request to the other site will include from where it is coming from. The “Referrer policy” header tells the browser how and if it should send this information. (see [Referrer policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy))
  65. ### Uploaded media and media proxy
  67. It is STRONGLY RECOMMENDED to serve both the locally-uploaded media and the media proxy from another domain than the domain that Pleroma runs on, if applicable.
  69. ```elixir
  70. config :pleroma, :media_proxy,
  71.   base_url: "https://some.other.domain"
  73. config :pleroma, Pleroma.Upload,
  74.   base_url: "https://some.other.domain/media"
  75. ```
  77. See `installation/pleroma-mediaproxy.nginx` for examples on how to configure your media proxy.
  79. ## systemd
  81. A systemd unit example is provided at `installation/pleroma.service`.
  83. ### PrivateTmp
  85. > Recommended value: `true`
  87. Use private `/tmp` and `/var/tmp` folders inside a new file system namespace, which are discarded after the process stops.
  89. ### ProtectHome
  91. > Recommended value: `true`
  93. The `/home`, `/root`, and `/run/user` folders can not be accessed by this service anymore. If your Pleroma user has its home folder in one of the restricted places, or use one of these folders as its working directory, you have to set this to `false`.
  95. ### ProtectSystem
  97. > Recommended value: `full`
  99. Mount `/usr`, `/boot`, and `/etc` as read-only for processes invoked by this service.
  101. ### PrivateDevices
  103. > Recommended value: `true`
  105. Sets up a new `/dev` mount for the process and only adds API pseudo devices like `/dev/null`, `/dev/zero` or `/dev/random` but not physical devices. This may not work on devices like the Raspberry Pi, where you need to set this to `false`.
  107. ### NoNewPrivileges
  109. > Recommended value: `true`
  111. Ensures that the service process and all its children can never gain new privileges through `execve()`.
  113. ### CapabilityBoundingSet
  115. > Recommended value: `~CAP_SYS_ADMIN`
  117. Drops the sysadmin capability from the daemon.