Skip to content
This repository was archived by the owner on Jun 13, 2024. It is now read-only.

Security remove webserver identification #106

Open
btelnes wants to merge 2 commits into
base: edx_master_04_18_2018
Choose a base branch
from
Open

Security remove webserver identification #106

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d2b515f
All web pages that contain user-controllable content must opt-out of …
btelnes Apr 18, 2018
9d62e22
Remove 'Server' and 'X-Powered-By' headers for improved security
btelnes Apr 18, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions playbooks/roles/nginx/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,10 +81,10 @@
tags:
- install
- install:system-requirements

# Use the nginx-extras package for headers-more-nginx-module support
- name: Install the nginx package
apt:
name: nginx
name: nginx-extras
state: latest
update_cache: yes
notify: restart nginx
Expand Down
5 changes: 4 additions & 1 deletion playbooks/roles/nginx/templates/edx/app/nginx/sites-available/cms.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,9 +42,12 @@ error_page {{ k }} {{ v }};

{% if NGINX_ENABLE_SSL or NGINX_REDIRECT_TO_HTTPS %}
# request the browser to use SSL for all connections
add_header Strict-Transport-Security "max-age={{ NGINX_HSTS_MAX_AGE }}";
add_header Strict-Transport-Security "max-age={{ NGINX_HSTS_MAX_AGE }}; includeSubDomains";
{% endif %}

# prevent the browser from doing MIME-type sniffing
add_header X-Content-Type-Options nosniff;

# Prevent invalid display courseware in IE 10+ with high privacy settings
add_header P3P '{{ NGINX_P3P_MESSAGE }}';

Expand Down
5 changes: 4 additions & 1 deletion playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,9 +90,12 @@ error_page {{ k }} {{ v }};

{% if NGINX_ENABLE_SSL or NGINX_REDIRECT_TO_HTTPS %}
# request the browser to use SSL for all connections
add_header Strict-Transport-Security "max-age={{ NGINX_HSTS_MAX_AGE }}";
add_header Strict-Transport-Security "max-age={{ NGINX_HSTS_MAX_AGE }}; includeSubDomains";
{% endif %}

# prevent the browser from doing MIME-type sniffing
add_header X-Content-Type-Options nosniff;

# Prevent invalid display courseware in IE 10+ with high privacy settings
add_header P3P '{{ NGINX_P3P_MESSAGE }}';

Expand Down
4 changes: 4 additions & 0 deletions playbooks/roles/nginx/templates/etc/nginx/nginx.conf.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,10 @@ http {
# increase header buffer for for https://edx-wiki.atlassian.net/browse/LMS-467&gt
# see http://orensol.com/2009/01/18/nginx-and-weird-400-bad-request-responses/
large_client_header_buffers 4 16k;

# Remove server info for security
more_clear_headers 'Server';
more_clear_headers 'X-Powered-By';
# server_tokens off;

# server_names_hash_bucket_size 64;
Expand Down