Improve webserver settings

[mzur]

These reports recommend improvements for the webserver settings:

• https://observatory.mozilla.org/analyze/biigle.de
• https://securityheaders.com/?followRedirects=on&hide=on&q=biigle.de

Implement them if possible.

[mzur]

Implement a content security policy. The way we use Vue and inline scripts requires all (?) script-src permissions. This is a draft of a CSP that could work (add it to vhost.conf and vhost-no-ssl.conf):

add_header Content-Security-Policy "style-src 'self' 'unsafe-inline'; form-action 'self'; object-src 'none'; frame-ancestors 'none'";

We should also implement an API endpoint that accepts report-uri warnings. The warnings should be converted to log error messages so we can detect any unintended CSP violations.

Maybe we can add script-src 'self' 'unsafe-inline' 'unsafe-eval';, this at least disallows data: and unsafe hashes.

Also we could add https: to script-src, style-src and form-action in case of vhost.conf (not vhost-no-ssl.conf).

[mzur]

I ditched the more advanced CSP as it involves too much work.

Issue 1: We have to implement a new public endpoint to accept CSP violation reports. This endpoint could potentially be used as DDoS target because it writes the report directly to the logs.

Issue 2: The CSP report is sent with content type application/csp-report. This is not recognized and not parsed as JSON by Laravel.

I've now implemented the following CSP which I validated with some manual testing:

form-action 'self'; object-src 'none'; frame-ancestors 'none'