diff --git a/aah/app-template/config/security.conf.atmpl b/aah/app-template/config/security.conf.atmpl index 89c8ab2..8561e60 100644 --- a/aah/app-template/config/security.conf.atmpl +++ b/aah/app-template/config/security.conf.atmpl @@ -230,4 +230,165 @@ security { #cleanup_interval = "30m" {{- end }} } + + # --------------------------------------------------------------------------- + # HTTP Secure Header(s) + # Application security headers with many safe defaults. + # Doc: https://docs.aahframework.org/security-config.html#section-http-header + # + # Tip: Quick way to verify secure headers - https://securityheaders.io + # --------------------------------------------------------------------------- + http_header { + # X-XSS-Protection + # Designed to enable the cross-site scripting (XSS) filter built into modern + # web browsers. This is usually enabled by default, but using this header + # will enforce it. + # + # Learn more: + # https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xxxsp + # https://www.keycdn.com/blog/x-xss-protection/ + # + # Encouraged to make use of header `Content-Security-Policy` with enhanced + # policy to reduce XSS risk along with header `X-XSS-Protection`. + # Default values is `1; mode=block`. + #xxssp = "1; mode=block" + + # X-Content-Type-Options + # Prevent Content Sniffing or MIME sniffing. + # + # Learn more: + # https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xcto + # https://en.wikipedia.org/wiki/Content_sniffing + # Default value is `nosniff`. + #xcto = "nosniff" + + # X-Frame-Options + # Prevents Clickjacking. + # + # Learn more: + # https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xfo + # https://www.keycdn.com/blog/x-frame-options/ + # Default value is `SAMEORIGIN`. + #xfo = "SAMEORIGIN" + + # Referrer-Policy + # This header governs which referrer information, sent in the Referer header, should + # be included with requests made. + # Referrer Policy has been a W3C Candidate Recommendation since 26 January 2017. + # + # Learn more: + # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy + # https://scotthelme.co.uk/a-new-security-header-referrer-policy/ + # https://www.w3.org/TR/referrer-policy/ + # Default value is `no-referrer-when-downgrade`. + #rp = "no-referrer-when-downgrade" + + # Strict-Transport-Security (STS, aka HSTS) + # STS header that lets a web site tell browsers that it should only be communicated + # with using HTTPS, instead of using HTTP. + # + # Learn more: + # https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet + # https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security + # + # Note: Framework checks that application uses SSL on startup then applies + # this header. Otherwise it does not apply. + sts { + # The time, in seconds, that the browser should remember that this site + # is only to be accessed using HTTPS. Valid time units are + # "s -> seconds", "m -> minutes", "h - hours". + # Default value is `30 days` in hours. + #max_age = "720h" + + # If enabled the STS rule applies to all of the site's subdomains as well. + # Default value is `false`. + #include_subdomains = true + + # Before enabling preload option, please read about pros and cons from above links. + # Default value is `false`. + #preload = false + } + + # Content-Security-Policy (CSP) + # Provides a rich set of policy directives that enable fairly granular control + # over the resources that a page is allowed. Prevents XSS risks. + # + # Learn more: + # https://content-security-policy.com/ + # https://developers.google.com/web/fundamentals/security/csp/ + # https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#csp + # + # Read above references and define your policy. + # + # Note: It is highly recommended to verify your policy directives in report + # only mode before enabling this header. Since its highly controls how your + # page is rendered. + # + # No default values, you have to provide it. + csp { + # Set of directives to govern the resources load on a page. + #directives = "" + + # By default, violation reports aren't sent. To enable violation reporting, + # you need to specify the report-uri policy directive. + report_uri = "" + + # Puts your `Content-Security-Policy` in report only mode, so that you can verify + # and then set `csp_report_only` value to false. + # Don't forget to set the `report-uri` for validation. + report_only = true + } + + # Public-Key-Pins PKP (aka HPKP) + # This header prevents the Man-in-the-Middle Attack (MITM) with forged certificates. + # + # Learn more: + # https://scotthelme.co.uk/hpkp-http-public-key-pinning/ + # https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning + # Read above references and define your keys. + # + # Note: + # - HPKP has the potential to lock out users for a long time if used incorrectly! + # The use of backup certificates and/or pinning the CA certificate is recommended. + # - It is highly recommended to verify your policy directives in report only mode + # before enabling this header + # - It is highly recommended to verify your PKP in report only mode before enabling this header. + # No default values, you have to provide it. + pkp { + # The Base64 encoded Subject Public Key Information (SPKI) fingerprint. + # These values gets added as `pin-sha256=; ...`. + #keys = [ + #"X3pGTSOuJeEVw989IJ/cEtXUEmy52zs1TZQrU06KUKg=", + #"MHJYVThihUrJcxW6wcqyOISTXIsInsdj3xK8QrZbHec=" + #] + + # The time that the browser should remember that this site is only to be + # accessed using one of the defined keys. + # Valid time units are "s -> seconds", "m -> minutes", "h - hours". + max_age = "720h" + + # If enabled the PKP keys applies to all of the site's subdomains as well. + # Default value is `false`. + include_subdomains = false + + # By default, Pin validation failure reports aren't sent. To enable Pin validation + # failure reporting, you need to specify the report-uri. + report_uri = "" + + # Puts your `Public-Key-Pins` in report only mode, so that you can verify + # and then set `pkp_report_only` value to false. + # Don't forget to set the `report-uri` for validation. + report_only = true + } + + # X-Permitted-Cross-Domain-Policies + # Restrict Adobe Flash Player's or PDF documents access via crossdomain.xml, + # and this header. + # + # Learn more: + # https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xpcdp + # https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html + # Default value is `master-only`. + #xpcdp = "master-only" + } }