Add setupcheck for Referrer-Policy header #9122
Comments
Makes sense, but only as warning and not as error. 👍 |
Fixes #9122 Based on https://www.w3.org/TR/referrer-policy/ and https://scotthelme.co.uk/a-new-security-header-referrer-policy/ Setting a sane Referrer-Policy will tell the browser if/when to send referrer headers when accessing a link from Nextcloud. When configured properly this results in less tracking and less leaking of (possibly) sensitive urls * Fix tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Fixes #9122 Based on https://www.w3.org/TR/referrer-policy/ and https://scotthelme.co.uk/a-new-security-header-referrer-policy/ Setting a sane Referrer-Policy will tell the browser if/when to send referrer headers when accessing a link from Nextcloud. When configured properly this results in less tracking and less leaking of (possibly) sensitive urls * Fix tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
|
Which one of the headers do you recommend? Will change it in the upcoming release of the VM. |
Any of those. Have a look at the linked page and choose the one that fits best into the VM setup. All of the 4 provide more privacy to the browsing user as it will not reveal too much information to the redirected page (for example getting a redirect from a share page would leak the share token). |
|
@MorrisJobke Thanks! I set |
|
@MorrisJobke @enoch85 How do i set this and where? |
|
@andyxh It's in your virtual host for either Nginx or Apache. The VM will have it from NC 14 and onwards. |
|
Thank you! So I don’t have the change anything I’m on NC14 Beta 4 and I get this warning. Is there a settings I need to change if so where?
…Sent from my iPhone X
On Aug 20, 2018, at 12:04 PM, Daniel Hansson <notifications@github.com<mailto:notifications@github.com>> wrote:
@andyxh<https://github.com/andyxh> It's in your virtual host for either Nginx or Apache.
The VM will have it from NC 14 and onwards.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#9122 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AXb4Q8U3Lw-7B8GDqPnLttBjqrkuo12Jks5uSuwQgaJpZM4TL8sT>.
|
|
It’s Apache :)
…Sent from my iPhone X
On Aug 20, 2018, at 1:01 PM, Daniel Hansson <notifications@github.com<mailto:notifications@github.com>> wrote:
@andyboeh<https://github.com/andyboeh> You need to change it n your virtual host:
It's in your virtual host for either Nginx or Apache.
Here<https://github.com/nextcloud/vm/pull/633/files#diff-f2ec80c094e0a6857e5610b0f944d2a7R138> is an example.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#9122 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AXb4Qw8PXnCRGnDs8RTwPjPc9POJoHwTks5uSvl8gaJpZM4TL8sT>.
|
…xtcloud/server#9122) Unset sensitive environment variables
See https://scotthelme.co.uk/a-new-security-header-referrer-policy/
We should probably check in the setupchecks if this header is set.
I would suggest to accept:
@nextcloud/security @MorrisJobke
The text was updated successfully, but these errors were encountered: