---
Name: 'a2nt-cms-niceties-base-security'
After: 'framework/*, cms/*, security_baseline'
---
SilverStripe\Core\Injector\Injector:
  SilverStripe\Security\MemberAuthenticator\LostPasswordHandler:
    class: A2nt\CMSNiceties\Extensions\LostPasswordHandlerExtension
  SilverStripe\Security\MemberAuthenticator\MemberLoginForm:
    class: A2nt\CMSNiceties\Extensions\SiteMemberLoginForm
---
Except:
  environment: dev
---
# Secure cookies
SilverStripe\Control\Session:
  cookie_secure: true
  strict_user_agent_check: false
  timeout: 604800

SilverStripe\Forms\PasswordField:
  autocompleate: false

SilverStripe\Security\Member:
  lock_out_after_incorrect_logins: 5
  lock_out_delay_mins: 5
  # Password expiry should only happen when the password is leaked (optionally expire automatically if PCI/NIST compliance is required)
  # password_expiry_days: 90
  # instead of password change, we send out a notice on change of password OR Email (notify_account_security_change)
  notify_password_change: false
#######################
# Security Headers
#######################
#Controller:
#  security_headers:
#    # # Values may contain :security_reporting_base_url: placeholders, will be replaced with the URL to SecurityBaselineController endpoint
#    # Header-Directive: "value; another value;"
#    # X-Version-Alias-Of-Same-Header: "x:Header-Directive" # 'x-alias' headers may be aliased to the standard by a value starting with "x:Standard"
#    # X-Another-Alias-Version-Of-Same: "different; value syntax as well;"

#
# A useful base from guttmann/silverstripe-security-headers - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers#Security:
#

#    # Content-Security-Policy - https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
#    # Specifies approved sources of content that the browser may load from your website
#    # Useful: upgrade-insecure-requests; (Instructs browser to treat a site's insecure URLs as if they are HTTPS (eg for legacy sites)
#    # Example: Allow everything but only from the same origin:
#    Content-Security-Policy: "default-src 'self';"
#    # Example: Allow Google Analytics, Google AJAX CDN and Same Origin
#    Content-Security-Policy: "script-src 'self' www.google-analytics.com ajax.googleapis.com;"
#    # Example: Starter Policy - allows images, scripts, AJAX, form actions, and CSS from the same origin, and does not allow any
#    # other resources to load (eg object, frame, media, etc). It is a good starting point for many sites.
#    Content-Security-Policy: "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';base-uri 'self';form-action 'self'"

#    # Content-Security-Policy-Report-Only - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
#    # Allows web developers to experiment with policies by monitoring (but not enforcing) their effects
#    # Browsers capable of enforcing CSP will send a violation report as a POST request to report-uri
#    Content-Security-Policy-Report-Only: default-src https:; report-uri /security-reporting-endpoint/csp/
#    Content-Security-Policy-Report-Only: "default-src https:; script-src 'self' https: 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self' https: data:; style-src 'self' 'unsafe-inline'; base-uri 'self'; form-action 'self'; report-uri /security-reporting-endpoint/csp/;"

#    # Strict-Transport-Security - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
#    # Tells the browser to ONLY interact with the site using HTTPS and never HTTP
#    Strict-Transport-Security: "max-age=31536000" # time in seconds (one year=31536000) to remember that the site is only accessible over HTTPS

#    # Frame-Options - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
#    # Disallowes pages to render within a frame - protects against clickjacking attacks
#    Frame-Options: "deny"

#    # XSS-Protection - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
#    # protect against Cross-site Scripting attacks (value 1=sanitize (default in most browsers), set to "1; mode=block" to prevent rendering if attack is detected)
#    # Deprecated: if you do not need to support legacy browsers, it is recommended that you use Content-Security-Policy without allowing unsafe-inline scripts instead
#    X-XSS-Protection: "1; mode=block"

#    # X-Content-Type-Options - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
#    # Indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed
#    # NOTE: Opting out of MIME sniffing can cause HTML web pages to be downloaded instead of rendered when they are
#    # served with a MIME type other than text/html. Make sure to set both headers correctly.
#    # Site security testers usually expect this header to be set.
#    X-Content-Type-Options: "nosniff"

#
# Some more from https://help.dreamhost.com/hc/en-us/articles/360036486952-Security-headers
#

#    # Referrer-Policy - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
#    # controls how much referrer information should be sent to another server
#    Referrer-Policy: no-referrer

#    # Feature-Policy - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
#    # (Experimental 2020) controls which browser features are allowed on your website, eg for sites allowing third-party content

#    # CORS - Allow resource sharing with another domain (eg webfonts & ajax requests)
#    # Access-Control-Allow-Origin - developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin

#
# A further selection from https://github.com/bepsvpt/secure-headers/blob/master/config/secure-headers.php
#

# Clear-Site-Data - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Data
# Clears browsing data (cookies, storage, cache) associated with the requesting website

# Expect-CT - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT
# Lets sites opt in to reporting and/or enforcement of Certificate Transparency requirements,
# to prevent the use of misissued certificates for that site from going unnoticed.
# (will likely become obsolete in June 2021)