Security Review

[cycomachead]

Putting this as one mega issue to track everything.

• [x] #62
• [x] #61
• [x] #31 (semi-related)
• [x] SSL: OCSP stapling
• [x] SSL: HSTS headers (relates to #61)
• [x] Enforce SSL for postgres
• [ ] enable the ubuntu or DO firewalls
• [ ] some monitoring about OS updates?

What other policies and issues do we need to consider?

• monitoring?
• rate limiting?
• account login attempts?
• enforcing admin constraints?

[cycomachead]

https://observatory.mozilla.org/analyze/cloud.snap.berkeley.edu

Ouch, that grade is sad. Some of those things (CSP) don't really apply for an API, but since we are also serving HTML we should probably do that.

[cycomachead]

https://gauntface.com/blog/2014/09/09/your-guide-to-ssl-on-nginx https://support.comodo.com/index.php?/comodo/Knowledgebase/Article/View/1091/0/certificate-installation--nginx https://gist.github.com/Timi7007/2b6cf34ea88220794c17b35b31607178

[cycomachead]

https://support.comodo.com/index.php?/comodo/Knowledgebase/Article/View/1091/0/certificate-installation--nginx https://support.comodo.com/index.php?/comodo/Knowledgebase/Article/View/1015/0/enable-ocsp-stapling-on-nginx https://matthiasadler.info/blog/ocsp-stapling-on-nginx-with-comodo-ssl/

[cycomachead]

Mozilla recommended config: https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.0.1e&hsts=yes&profile=intermediate

[cycomachead]

Postgres info: https://www.postgresql.org/docs/9.5/static/ssl-tcp.html

[cycomachead]

https://haydenjames.io/nginx-tuning-tips-tls-ssl-https-ttfb-latency/

[cycomachead]

https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

Current status is A+ for snap-staging.CS10.org

[bromagosa]

Current status is A+ for snap-staging.CS10.org

Yay! Does this mean this can be closed?

[cycomachead]

I want to review a few more things - we have some server configurations and we should also test for XSS.