Default security settings are vulnerable

docksal / service-vhost-proxy

Virtual host proxy service image for Docksal

http://docksal.io

MIT License

7 stars 14 forks source link

Default security settings are vulnerable #83

Closed dtimberlake2019 closed 2 years ago

dtimberlake2019 commented 2 years ago

There are several critical security vulnerabilities we have discovered while running this in our environment.

Please update the nginx configuration to use standard security defaults: Remove support for vulnerable protocols: TLS1.0 and TLS1.1 Remove support for vulnerable Cipher: ECDHE-RSA-AES256-SHA384 on TLSv1.2

lmakarov commented 2 years ago

Thanks for reporting this!

While this image is intended for non-production/local use, maintaining basic up-to-date security measures makes sense regardless. I have a PR that will address this concern.

There are several critical security vulnerabilities we have discovered while running this in our environment.

What did you use to scan for vulnerabilities? How do you use this image that this concern popped up?