search

bunkerity / bunkerweb

🛡️ Open-source and next-generation Web Application Firewall (WAF)
https://www.bunkerweb.io
GNU Affero General Public License v3.0
6.12k stars 339 forks source link

Choose between nginx and app headers #81

Closed thelittlefireman closed 3 years ago

thelittlefireman commented 3 years ago

Hi, Could it be possible to upgrade default configuration for these headers ? :

set "always" (The "always" parameters is to guarantee that the header is et on ALL responses)

add_header X-XSS-Protection "1; mode=block" always; add_header Strict-Transport-Security "max-age=expireTime [; includeSubDomains] [; preload]" always; add_header X-Content-Type-Options "nosniff" always; add_header Feature-Policy "..." always; add_header Permissions-Policy "" always; add_header Referrer-Policy "no-referrer" always; more_set_headers already does that: my bad !

On reverse proxy

proxy_cookie_flags: HttpOnly Secure SameSite=Lax;

Need to test if this override an upper security header. For example, if the reverse app set "SameSite=Strict" will it be applied over "SameSite=Lax" or will it be "SameSite=Lax" that will always be applied ? (SameSite=Strict > SameSite=Lax)

It could be done with more_set_headers but sometimes this could lead to a double ... secure; secure; : more_set_headers 'Set-Cookie: $sent_http_set_cookie; secure'; https://unix.stackexchange.com/questions/306463/nginx-add-secure-flag-to-cookies-from-proxied-server or maybe we could try https://github.com/AirisX/nginx_cookie_flag_module

A missing header

more_set_headers Expect-CT "report-uri=\'\<uri>\', enforce, max-age=\'\<age>\'" always https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT

Content Security Policy is missing default-src 'self', script-src 'self', reflected-xss and upgrade-insecure-requests https://www.keycdn.com/support/content-security-policy

fl0ppy-d1sk commented 3 years ago

Hello @thelittlefireman,

You're right, I can't tell if the reverse proxy will override the header of the proxied server. We need to test it. Regarding Expect-CT, looks like it will become obsolete from your link : "The Expect-CT will likely become obsolete in June 2021."

fl0ppy-d1sk commented 3 years ago

Hi @thelittlefireman,

As discussed in #155, we can set the corresponding environment variable to nothing (e.g. : COOKIE_FLAGS=) so the app one will be forwarded.

For now we have two undocumented choices :

  1. Configure bunkerized-nginx to set custom headers and override the ones set by the app
  2. Configure bunkerized-nginx to not override the header (by setting the environment variable to a "null" value) so the ones defined by the app are forwarded

Another possible feature would be to replace/append specific values in a header defined by the app (e.g. : allow/deny a specific permissions within the Permissions-Policy header). I don't have any idea on how to do it for now but it should be generic IMO (e.g. : use a regex pattern to replace things). What do you think ?

fl0ppy-d1sk commented 3 years ago

I've added some tips about app vs bunkerized-nginx headers on the documentation. Feel free to open a new issue if needed !