new security requirements for 2C GeoNode server

state-hiu / 2C-GeoNode

3 stars 9 forks source link

new security requirements for 2C GeoNode server #145

Open d3netxer opened 5 years ago

d3netxer commented 5 years ago

Create a redirect on HTTP://secondarycities.geonode.state.gov to HTTPS://secondarycities.geonode.state.gov -Must be a 301 or 302 header redirect

-Enable HSTS with max-age=31536000

d3netxer commented 5 years ago

This can be done by adding these header directives in the top-level server block:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Access-Control-Allow-Origin "*";

Important note: There’s one important exception: if a block includes an add_header directive itself, it does not inherit headers from enclosing blocks, and you need to redeclare all add_header directives

d3netxer commented 5 years ago

same thing, I can test for this fix on the dev server.

d3netxer commented 5 years ago

I'm moving this to a 1st priority for milestone 2. This is a requirement for our websites, and they are scanning for this now.