Skip to content

Commit

Permalink
go-aah/aah#88 secure headers config added to app template
Browse files Browse the repository at this point in the history
  • Loading branch information
jeevatkm committed Aug 22, 2017
1 parent ef12445 commit 2df34dd
Showing 1 changed file with 161 additions and 0 deletions.
161 changes: 161 additions & 0 deletions aah/app-template/config/security.conf.atmpl
Original file line number Diff line number Diff line change
Expand Up @@ -230,4 +230,165 @@ security {
#cleanup_interval = "30m"
{{- end }}
}

# ---------------------------------------------------------------------------
# HTTP Secure Header(s)
# Application security headers with many safe defaults.
# Doc: https://docs.aahframework.org/security-config.html#section-http-header
#
# Tip: Quick way to verify secure headers - https://securityheaders.io
# ---------------------------------------------------------------------------
http_header {
# X-XSS-Protection
# Designed to enable the cross-site scripting (XSS) filter built into modern
# web browsers. This is usually enabled by default, but using this header
# will enforce it.
#
# Learn more:
# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xxxsp
# https://www.keycdn.com/blog/x-xss-protection/
#
# Encouraged to make use of header `Content-Security-Policy` with enhanced
# policy to reduce XSS risk along with header `X-XSS-Protection`.
# Default values is `1; mode=block`.
#xxssp = "1; mode=block"

# X-Content-Type-Options
# Prevent Content Sniffing or MIME sniffing.
#
# Learn more:
# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xcto
# https://en.wikipedia.org/wiki/Content_sniffing
# Default value is `nosniff`.
#xcto = "nosniff"

# X-Frame-Options
# Prevents Clickjacking.
#
# Learn more:
# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xfo
# https://www.keycdn.com/blog/x-frame-options/
# Default value is `SAMEORIGIN`.
#xfo = "SAMEORIGIN"

# Referrer-Policy
# This header governs which referrer information, sent in the Referer header, should
# be included with requests made.
# Referrer Policy has been a W3C Candidate Recommendation since 26 January 2017.
#
# Learn more:
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
# https://scotthelme.co.uk/a-new-security-header-referrer-policy/
# https://www.w3.org/TR/referrer-policy/
# Default value is `no-referrer-when-downgrade`.
#rp = "no-referrer-when-downgrade"

# Strict-Transport-Security (STS, aka HSTS)
# STS header that lets a web site tell browsers that it should only be communicated
# with using HTTPS, instead of using HTTP.
#
# Learn more:
# https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet
# https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
#
# Note: Framework checks that application uses SSL on startup then applies
# this header. Otherwise it does not apply.
sts {
# The time, in seconds, that the browser should remember that this site
# is only to be accessed using HTTPS. Valid time units are
# "s -> seconds", "m -> minutes", "h - hours".
# Default value is `30 days` in hours.
#max_age = "720h"

# If enabled the STS rule applies to all of the site's subdomains as well.
# Default value is `false`.
#include_subdomains = true

# Before enabling preload option, please read about pros and cons from above links.
# Default value is `false`.
#preload = false
}

# Content-Security-Policy (CSP)
# Provides a rich set of policy directives that enable fairly granular control
# over the resources that a page is allowed. Prevents XSS risks.
#
# Learn more:
# https://content-security-policy.com/
# https://developers.google.com/web/fundamentals/security/csp/
# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#csp
#
# Read above references and define your policy.
#
# Note: It is highly recommended to verify your policy directives in report
# only mode before enabling this header. Since its highly controls how your
# page is rendered.
#
# No default values, you have to provide it.
csp {
# Set of directives to govern the resources load on a page.
#directives = ""

# By default, violation reports aren't sent. To enable violation reporting,
# you need to specify the report-uri policy directive.
report_uri = ""

# Puts your `Content-Security-Policy` in report only mode, so that you can verify
# and then set `csp_report_only` value to false.
# Don't forget to set the `report-uri` for validation.
report_only = true
}

# Public-Key-Pins PKP (aka HPKP)
# This header prevents the Man-in-the-Middle Attack (MITM) with forged certificates.
#
# Learn more:
# https://scotthelme.co.uk/hpkp-http-public-key-pinning/
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning
# Read above references and define your keys.
#
# Note:
# - HPKP has the potential to lock out users for a long time if used incorrectly!
# The use of backup certificates and/or pinning the CA certificate is recommended.
# - It is highly recommended to verify your policy directives in report only mode
# before enabling this header
# - It is highly recommended to verify your PKP in report only mode before enabling this header.
# No default values, you have to provide it.
pkp {
# The Base64 encoded Subject Public Key Information (SPKI) fingerprint.
# These values gets added as `pin-sha256=<key1>; ...`.
#keys = [
#"X3pGTSOuJeEVw989IJ/cEtXUEmy52zs1TZQrU06KUKg=",
#"MHJYVThihUrJcxW6wcqyOISTXIsInsdj3xK8QrZbHec="
#]

# The time that the browser should remember that this site is only to be
# accessed using one of the defined keys.
# Valid time units are "s -> seconds", "m -> minutes", "h - hours".
max_age = "720h"

# If enabled the PKP keys applies to all of the site's subdomains as well.
# Default value is `false`.
include_subdomains = false

# By default, Pin validation failure reports aren't sent. To enable Pin validation
# failure reporting, you need to specify the report-uri.
report_uri = ""

# Puts your `Public-Key-Pins` in report only mode, so that you can verify
# and then set `pkp_report_only` value to false.
# Don't forget to set the `report-uri` for validation.
report_only = true
}

# X-Permitted-Cross-Domain-Policies
# Restrict Adobe Flash Player's or PDF documents access via crossdomain.xml,
# and this header.
#
# Learn more:
# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xpcdp
# https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html
# Default value is `master-only`.
#xpcdp = "master-only"
}
}

0 comments on commit 2df34dd

Please sign in to comment.