diff --git a/app/_config.php b/app/_config.php index d76f1cf..3507b0f 100644 --- a/app/_config.php +++ b/app/_config.php @@ -38,3 +38,11 @@ $parser = ShortcodeParser::get('default'); $parser->unregister('embed'); $parser->register('embed', [EmbedShortcodeProvider::class, 'handle_shortcode']); +if (!Director::isDev()) { + $validator = new SecurityPasswordValidator(); + $validator->setMinLength(8); + $validator->maxLength(72); + $validator->setHistoricCount(6); + $validator->characterStrength(3, [ 'lowercase', 'uppercase', 'digits', 'punctuation' ]); + Member::set_password_validator($validator); +} diff --git a/app/_config/security.yml b/app/_config/security.yml index e758d4b..56a509c 100644 --- a/app/_config/security.yml +++ b/app/_config/security.yml @@ -2,6 +2,18 @@ Name: 'webapp-security' After: 'framework/*, cms/*, security_baseline' --- +SilverStripe\Core\Injector\Injector: + SilverStripe\Security\MemberAuthenticator\LostPasswordHandler: + class: Site\Extensions\LostPasswordHandlerExtension + SilverStripe\Security\MemberAuthenticator\MemberLoginForm: + class: Site\Extensions\SiteMemberLoginForm +--- +Except: + environment: dev +--- +SilverStripe\Forms\PasswordField: + autocompleate: false + SilverStripe\Security\Member: lock_out_after_incorrect_logins: 5 lock_out_delay_mins: 5 @@ -9,12 +21,79 @@ SilverStripe\Security\Member: # password_expiry_days: 90 # instead of password change, we send out a notice on change of password OR Email (notify_account_security_change) notify_password_change: false +####################### +# Security Headers +####################### +#Controller: +# security_headers: +# # # Values may contain :security_reporting_base_url: placeholders, will be replaced with the URL to SecurityBaselineController endpoint +# # Header-Directive: "value; another value;" +# # X-Version-Alias-Of-Same-Header: "x:Header-Directive" # 'x-alias' headers may be aliased to the standard by a value starting with "x:Standard" +# # X-Another-Alias-Version-Of-Same: "different; value syntax as well;" -SilverStripe\Forms\PasswordField: - autocompleate: false +# +# A useful base from guttmann/silverstripe-security-headers - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers#Security: +# -SilverStripe\Core\Injector\Injector: - SilverStripe\Security\MemberAuthenticator\LostPasswordHandler: - class: Site\Extensions\LostPasswordHandlerExtension - SilverStripe\Security\MemberAuthenticator\MemberLoginForm: - class: Site\Extensions\SiteMemberLoginForm +# # Content-Security-Policy - https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP +# # Specifies approved sources of content that the browser may load from your website +# # Useful: upgrade-insecure-requests; (Instructs browser to treat a site's insecure URLs as if they are HTTPS (eg for legacy sites) +# # Example: Allow everything but only from the same origin: +# Content-Security-Policy: "default-src 'self';" +# # Example: Allow Google Analytics, Google AJAX CDN and Same Origin +# Content-Security-Policy: "script-src 'self' www.google-analytics.com ajax.googleapis.com;" +# # Example: Starter Policy - allows images, scripts, AJAX, form actions, and CSS from the same origin, and does not allow any +# # other resources to load (eg object, frame, media, etc). It is a good starting point for many sites. +# Content-Security-Policy: "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';base-uri 'self';form-action 'self'" + +# # Content-Security-Policy-Report-Only - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only +# # Allows web developers to experiment with policies by monitoring (but not enforcing) their effects +# # Browsers capable of enforcing CSP will send a violation report as a POST request to report-uri +# Content-Security-Policy-Report-Only: default-src https:; report-uri /security-reporting-endpoint/csp/ +# Content-Security-Policy-Report-Only: "default-src https:; script-src 'self' https: 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self' https: data:; style-src 'self' 'unsafe-inline'; base-uri 'self'; form-action 'self'; report-uri /security-reporting-endpoint/csp/;" + +# # Strict-Transport-Security - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +# # Tells the browser to ONLY interact with the site using HTTPS and never HTTP +# Strict-Transport-Security: "max-age=31536000" # time in seconds (one year=31536000) to remember that the site is only accessible over HTTPS + +# # Frame-Options - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options +# # Disallowes pages to render within a frame - protects against clickjacking attacks +# Frame-Options: "deny" + +# # XSS-Protection - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection +# # protect against Cross-site Scripting attacks (value 1=sanitize (default in most browsers), set to "1; mode=block" to prevent rendering if attack is detected) +# # Deprecated: if you do not need to support legacy browsers, it is recommended that you use Content-Security-Policy without allowing unsafe-inline scripts instead +# X-XSS-Protection: "1; mode=block" + +# # X-Content-Type-Options - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options +# # Indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed +# # NOTE: Opting out of MIME sniffing can cause HTML web pages to be downloaded instead of rendered when they are +# # served with a MIME type other than text/html. Make sure to set both headers correctly. +# # Site security testers usually expect this header to be set. +# X-Content-Type-Options: "nosniff" + +# +# Some more from https://help.dreamhost.com/hc/en-us/articles/360036486952-Security-headers +# + +# # Referrer-Policy - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy +# # controls how much referrer information should be sent to another server +# Referrer-Policy: no-referrer + +# # Feature-Policy - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy +# # (Experimental 2020) controls which browser features are allowed on your website, eg for sites allowing third-party content + +# # CORS - Allow resource sharing with another domain (eg webfonts & ajax requests) +# # Access-Control-Allow-Origin - developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin + +# +# A further selection from https://github.com/bepsvpt/secure-headers/blob/master/config/secure-headers.php +# + +# Clear-Site-Data - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Data +# Clears browsing data (cookies, storage, cache) associated with the requesting website + +# Expect-CT - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT +# Lets sites opt in to reporting and/or enforcement of Certificate Transparency requirements, +# to prevent the use of misissued certificates for that site from going unnoticed. +# (will likely become obsolete in June 2021) diff --git a/app/src/Extensions/SiteMemberLoginForm.php b/app/src/Extensions/SiteMemberLoginForm.php index c3c7fa2..196b073 100644 --- a/app/src/Extensions/SiteMemberLoginForm.php +++ b/app/src/Extensions/SiteMemberLoginForm.php @@ -4,6 +4,7 @@ namespace Site\Extensions; +use SilverStripe\Control\Director; use SilverStripe\Security\MemberAuthenticator\MemberLoginForm; class SiteMemberLoginForm extends MemberLoginForm @@ -26,5 +27,9 @@ class SiteMemberLoginForm extends MemberLoginForm $pass = $fields->fieldByName('Password'); //$pass->setAttribute('autocomplete', 'current-password'); $pass->setAutofocus(true); + + if (Director::isLive()) { + $this->enableSpamProtection(); + } } } \ No newline at end of file