starred/nsupdate.info-nsupdate-info
1
0
Fork 0
mirror of https://github.com/nsupdate-info/nsupdate.info.git synced 2026-04-25 08:35:56 +03:00
Code Issues 56 Projects Releases Packages Wiki Activity

[GH-ISSUE #281] improve security score #223

New issue
Closed
opened 2026-02-26 09:36:41 +03:00 by kerem · 11 comments
kerem commented 2026-02-26 09:36:41 +03:00
Owner
Copy link

Originally created by @ThomasWaldmann on GitHub (Aug 28, 2016).
Original GitHub issue: https://github.com/nsupdate-info/nsupdate.info/issues/281

Originally assigned to: @elnappo on GitHub.

https://observatory.mozilla.org/analyze.html?host=nsupdate.info
https://securityheaders.com/?q=nsupdate.info&followRedirects=on

Originally created by @ThomasWaldmann on GitHub (Aug 28, 2016). Original GitHub issue: https://github.com/nsupdate-info/nsupdate.info/issues/281 Originally assigned to: @elnappo on GitHub. https://observatory.mozilla.org/analyze.html?host=nsupdate.info https://securityheaders.com/?q=nsupdate.info&followRedirects=on
kerem closed this issue 2026-02-26 09:36:42 +03:00
kerem commented 2026-02-26 09:36:42 +03:00
Author
Owner
Copy link

@elnappo commented on GitHub (Sep 5, 2016):

Could you provide the current nginx configuration? Some headers like X-XSS-Protection, X-Content-Type-Options, or HTTP Strict Transport Security could also be added by Django itself. OWASP provides a good reference of security related headers https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#X-Content-Type-Options

At least we should set the following headers:

  • X-Frame-Options: deny
  • X-XSS-Protection: 1; mode=block
  • X-Content-Type-Options: nosniff
  • Strict-Transport-Security: max-age=31536000 should make no problems with updates clients which does not support TLS?
<!-- gh-comment-id:244719071 --> @elnappo commented on GitHub (Sep 5, 2016): Could you provide the current nginx configuration? Some headers like `X-XSS-Protection`, `X-Content-Type-Options`, or `HTTP Strict Transport Security` could also be added by Django itself. OWASP provides a good reference of security related headers https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#X-Content-Type-Options At least we should set the following headers: - `X-Frame-Options: deny` - `X-XSS-Protection: 1; mode=block` - `X-Content-Type-Options: nosniff` - `Strict-Transport-Security: max-age=31536000` should make no problems with updates clients which does not support TLS?
kerem commented 2026-02-26 09:36:42 +03:00
Author
Owner
Copy link

@ThomasWaldmann commented on GitHub (Sep 5, 2016):

Stuff that can be as well solved in the application maybe better gets solved there, so everybody automatically gets it.

<!-- gh-comment-id:244732259 --> @ThomasWaldmann commented on GitHub (Sep 5, 2016): Stuff that can be as well solved in the application maybe better gets solved there, so everybody automatically gets it.
kerem commented 2026-02-26 09:36:42 +03:00
Author
Owner
Copy link

@elnappo commented on GitHub (Sep 6, 2016):

After a deeper look at the problem I think its best to let the proxy (e.g. nginx) handle these security headers. Letting the app set these headers could lead to the following problems:

  • Both the proxy and the app set the same headers. Im not sure what happens if they set the same header with different values.
  • Proxy configuration gets more complicated (does not set header which Django already set). I usually only have one main configurations which is used by all sites.
  • This leads to different (TLS) configurations for the app proxy and the static files as Django does not serve static files

So, I propose the following changes:

<!-- gh-comment-id:244982310 --> @elnappo commented on GitHub (Sep 6, 2016): After a deeper look at the problem I think its best to let the proxy (e.g. nginx) handle these security headers. Letting the app set these headers could lead to the following problems: - Both the proxy and the app set the same headers. Im not sure what happens if they set the same header with different values. - Proxy configuration gets more complicated (does not set header which Django already set). I usually only have one main configurations which is used by all sites. - This leads to different (TLS) configurations for the app proxy and the static files as Django does not serve static files So, I propose the following changes: - only set security headers in dev configuration to get consistent headers across production and development environment https://github.com/nsupdate-info/nsupdate.info/compare/master...elnappo:secure-http - add or link to a secure example configuration (nginx, apache) in the documentation
kerem commented 2026-02-26 09:36:43 +03:00
Author
Owner
Copy link

@ThomasWaldmann commented on GitHub (Sep 6, 2016):

Hmm, couldn't that be confusing?

If we do it in the dev setup, will people then run the dev setup in production to get the security headers? Or will they skip configuring security headers because they were there in the dev setup?

<!-- gh-comment-id:245004924 --> @ThomasWaldmann commented on GitHub (Sep 6, 2016): Hmm, couldn't that be confusing? If we do it in the dev setup, will people then run the dev setup in production to get the security headers? Or will they skip configuring security headers because they were there in the dev setup?
kerem commented 2026-02-26 09:36:43 +03:00
Author
Owner
Copy link

@elnappo commented on GitHub (Sep 7, 2016):

I don't think so, dev setup is for developers who hopefully know what they are doing. I added the headers in the dev configuration to make sure that problems with these headers are recognised before going into production. We should add a secure example configuration in the documentation and a link to e.g. Observatory. I could add a comment in the dev configuration to make this more clear.

<!-- gh-comment-id:245223424 --> @elnappo commented on GitHub (Sep 7, 2016): I don't think so, dev setup is for developers who hopefully know what they are doing. I added the headers in the dev configuration to make sure that problems with these headers are recognised before going into production. We should add a secure example configuration in the documentation and a link to e.g. Observatory. I could add a comment in the dev configuration to make this more clear.
kerem commented 2026-02-26 09:36:43 +03:00
Author
Owner
Copy link

@elnappo commented on GitHub (Dec 29, 2018):

I updated the branch. X-XSS-Protection: 1; mode=block and X-Content-Type-Options: nosniff are now also set by Django.

<!-- gh-comment-id:450514526 --> @elnappo commented on GitHub (Dec 29, 2018): I updated the branch. `X-XSS-Protection: 1; mode=block` and `X-Content-Type-Options: nosniff` are now also set by Django.
kerem commented 2026-02-26 09:36:43 +03:00
Author
Owner
Copy link

@ThomasWaldmann commented on GitHub (Mar 4, 2019):

I set some stuff via nginx now, observatory shows "C" score now (up from "F"), but still some stuff to be improved.

<!-- gh-comment-id:469273510 --> @ThomasWaldmann commented on GitHub (Mar 4, 2019): I set some stuff via nginx now, observatory shows "C" score now (up from "F"), but still some stuff to be improved.
kerem commented 2026-02-26 09:36:43 +03:00
Author
Owner
Copy link

@elnappo commented on GitHub (Mar 5, 2019):

Added Referrer-Policy header

<!-- gh-comment-id:469638591 --> @elnappo commented on GitHub (Mar 5, 2019): Added `Referrer-Policy` header
kerem commented 2026-02-26 09:36:43 +03:00
Author
Owner
Copy link

@ThomasWaldmann commented on GitHub (Dec 27, 2019):

With went from C to B on: https://securityheaders.com/?q=nsupdate.info&followRedirects=on

<!-- gh-comment-id:569298630 --> @ThomasWaldmann commented on GitHub (Dec 27, 2019): With went from C to B on: https://securityheaders.com/?q=nsupdate.info&followRedirects=on
kerem commented 2026-02-26 09:36:43 +03:00
Author
Owner
Copy link

@elnappo commented on GitHub (Dec 27, 2019):

For nsupdate.info we could also:

  • Update nginx cipher suites (how much compatibly do we need?)
  • Set CAA DNS Record
<!-- gh-comment-id:569299684 --> @elnappo commented on GitHub (Dec 27, 2019): For nsupdate.info we could also: * Update nginx cipher suites (how much compatibly do we need?) * Set CAA DNS Record
kerem commented 2026-02-26 09:36:43 +03:00
Author
Owner
Copy link

@elnappo commented on GitHub (Dec 29, 2019):

Expect-CT: enforce, max-age=21600

<!-- gh-comment-id:569532696 --> @elnappo commented on GitHub (Dec 29, 2019): `Expect-CT: enforce, max-age=21600`
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
0.13-maint
rel0.10
rel0.9
rel0.8
0.13.0
0.12.0
v0.11.0
v0.10.0
v0.9.1
v0.9.0
v0.8.0
v0.7.0
v0.6.0
v0.5.0
v0.4.0
v0.3.0
v0.2.0b0
djangodash2013
Labels
Clear labels   
bug

   
bug

   
duplicate

   
easy

   
easy

   
enhancement

   
enhancement

   
invalid

   
needs help

   
pull-request

Mirrored from GitHub Pull Request

  
scalability

   
security

   
task

   
urgent

   
wontfix
No labels
bug
bug
duplicate
easy
easy
enhancement
enhancement
invalid
needs help
pull-request
scalability
security
task
urgent
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/nsupdate.info-nsupdate-info#223
No description provided.