search

SURFscz / SRAM-deploy

Deploy scripts for the SCZ
Apache License 2.0
5 stars 5 forks source link

securityheaders op http redirect hosts #402

Closed baszoetekouw closed 8 months ago

baszoetekouw commented 1 year ago

De hosts die nu in haproxy redirecten naar https hebben geen security headers. Uitzoeken of dat zinnig is.

mrvanes commented 8 months ago

Zowel TEST als ACC redirect op http bevat geen security headers, is daarmee de kous af?

$ curl -v http://test.sram.surf.nl/
* processing: http://test.sram.surf.nl/
*   Trying 35.156.146.38:80...
* Connected to test.sram.surf.nl (35.156.146.38) port 80
> GET / HTTP/1.1
> Host: test.sram.surf.nl
> User-Agent: curl/8.2.1
> Accept: */*
> 
< HTTP/1.1 301 Moved Permanently
< Server: nginx/1.18.0
< Date: Mon, 11 Mar 2024 11:10:47 GMT
< Content-Type: text/html
< Content-Length: 169
< Connection: keep-alive
< Location: https://test.sram.surf.nl/
< X-Content-Type-Options: nosniff
mrvanes commented 8 months ago 
$ curl -v http://sbs.scz-vm.net/
* processing: http://sbs.scz-vm.net/
*   Trying 172.20.1.24:80...
* Connected to sbs.scz-vm.net (172.20.1.24) port 80
> GET / HTTP/1.1
> Host: sbs.scz-vm.net
> User-Agent: curl/8.2.1
> Accept: */*
> 
< HTTP/1.1 301 Moved Permanently
< Server: nginx/1.18.0
< Date: Tue, 12 Mar 2024 14:29:49 GMT
< Content-Type: text/html
< Content-Length: 169
< Connection: keep-alive
< Location: https://sbs.scz-vm.net/
< X-Content-Type-Options: nosniff
< X-Frame-Options: sameorigin
< X-XSS-Protection: 1; mode=block
< Referrer-Policy: strict-origin-when-cross-origin
< Content-Security-Policy: default-src 'self'; base-uri 'self'; frame-src 'none'; form-action 'self' https://*.scz-vm.net; frame-ancestors 'none'; block-all-mixed-content;
< Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), speaker-selection=()
< 
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.18.0</center>
</body>
</html>
* Connection #0 to host sbs.scz-vm.net left intact
baszoetekouw commented 8 months ago

confirmed:

╰─▶ curl -I http://acc.sram.surf.nl/
HTTP/1.1 301 Moved Permanently
Server: nginx/1.18.0
Date: Fri, 15 Mar 2024 10:40:59 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Location: https://acc.sram.surf.nl/
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin
Content-Security-Policy: default-src 'self'; base-uri 'self'; frame-src 'none'; form-action 'self' https://*.acc.sram.surf.nl; frame-ancestors 'none'; block-all-mixed-content;
Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), speaker-selection=()