search

internetstandards / Internet.nl

Internet standards compliance test suite
https://internet.nl
178 stars 38 forks source link

Add CSP and correct security.txt to dev-docker #1227

Open baknu opened 10 months ago

bwbroersma commented 10 months ago

Maybe instead of a lot of Canonical's: https://github.com/internetstandards/Internet.nl/blob/7bb8f53b97ffe467080884250bc0a81f029a978c/.well-known/security.txt#L4-L20 Only use:

Canonical: https://internet.nl/.well-known/security.txt
Canonical: https://ipv6.internet.nl/.well-known/security.txt

And then use 302's for the en., nl. and www. to redirect to the apex or ipv6 accordingly.

Although this file now is used on batch, maybe also redirect batch to internet.nl and have one central file? A lot easier to manage on expiration. Dev probably should have it's own file for testing purposes.

Since these are all 301's (toolbox|emailveilig|e-mailveilig|matomo) and 302's (*dashboard), these are not strictly needed according to internet.nl:

Canonical: https://dashboard.internet.nl/.well-known/security.txt 
Canonical: https://ipv6.dashboard.internet.nl/.well-known/security.txt 
Canonical: https://toolbox.internet.nl/.well-known/security.txt 
Canonical: https://emailveilig.internet.nl/.well-known/security.txt 
Canonical: https://ipv6kaart.internet.nl/.well-known/security.txt 
Canonical: https://matomo.internet.nl/.well-known/security.txt

If there is a reason to be more than complete/strict e-mailveilig.internet.nl would be missing.

Another interesting thing, the HTTPS downgrade on https://conn.internet.nl/ should not happen for sectxt:

$ curl -sSfA 'Mozilla/5.0 (compatible; HumanWithCurl/0.1; +https://github.com/internetstandards/Internet.nl/issues/1227)' -Le ';auto' -b /dev/null -D- -o /dev/null https://conn.internet.nl/.well-known/security.txt -vvv --trace-time 2>&1 | grep -iE '[<>] (GET|location:|Host:)'

This is HTTPS -> HTTP -> HTTPS, which is plain wrong:

22:13:18.440434 > GET /.well-known/security.txt HTTP/2
22:13:18.440434 > Host: conn.internet.nl
22:13:18.453450 < location: http://conn.internet.nl/.well-known/security.txt
22:13:18.481163 > GET /.well-known/security.txt HTTP/1.1
22:13:18.481163 > Host: conn.internet.nl
22:13:18.494730 < Location: https://internet.nl/.well-known/security.txt
22:13:18.555618 > GET /.well-known/security.txt HTTP/2
22:13:18.555618 > Host: internet.nl