search

jvm-tech / JvMTECH.NeosHardening

Harden request headers, login interface and passwords to increase backend security.
MIT License
3 stars 1 forks source link

Stronger cookie default settings #4

Open Benjamin-K opened 11 months ago

Benjamin-K commented 11 months ago

Just asking before i create a PR: Should we add stronger settings for the Production context to this package? I think sth. like the settings bellow should be the default in production. I kept the comments so someone who wants to have a different value can easily change it.

Neos:
  Flow:
    session:
      cookie:
        # Force SSL cookies.
        secure: true

        # The cookie samesite.
        # possible values: 'none', 'strict' and 'lax'
        samesite: 'strict'

      # Specifies the number of seconds a user must be idle before the session
      # automatically expires. If set to "0", a session will never expire
      # automatically.
      inactivityTimeout: 1440 # 24 minutes, Flow default is 1 hour

    http:
      # Defines the "application token" which is sent by in HTTP Response "X-Flow-Powered" headers.
      #
      # The value can be one of:
      #
      # - "Off" (no application token header is sent)
      # - "ApplicationName" (the application name only, determined via the Neos.Flow.core.applicationKey setting)
      # - "MajorVersion" (the application name + major version, e.g. "Neos/2"
      # - "MinorVersion" (the application name + minor version, e.g. "Neos/2.1"
      #
      applicationToken: 'Off'

    security:
      cryptography:
        BCryptHashingStrategy:
          # Cost of a BCrypt operation, can be between 4 and 31
          # The faster your machine is, the higher this number should be
          cost: 14 # This is the default, but as an overview of all security options, i'll add it here, too.
sbruggmann commented 11 months ago

Hi @Benjamin-K Thanks for your input!

For Flow.session.cookie.(secure|samesite) I'm full in. Where do the 24 minutes come from and not just 1800?

The Flow.http.applicationToken I'd like to keep on "ApplicationName" because the system itself can usually be identified anyways and we as a community would affect the possibility for market share scanning.

I totally agree that applicationToken and security.cryptography.BCryptHashingStrategy.cost both need more attention like a hint. But I don't like to copy default values and existing comments.

Benjamin-K commented 11 months ago

Hi @sbruggmann

Where do the 24 minutes come from and not just 1800?

the 24 minutes come from the PHP defaults. But i agree, that we could also use a value that's more in our default timings like 15 or 30 minutes (900 / 1800).

I also agree, that the Flow.http.applicationToken should not be removed completely to share the awesome work behind Flow and Neos.

I'm also fine, if we do not add Flow.http.security here, if we don't change a thing. Could be a small hint in the Readme, though, what do you think?

sbruggmann commented 11 months ago

Hi @Benjamin-K

Sounds good 🙂