IMPR: Security hardenings

app/_config.php

@@ -38,3 +38,11 @@ $parser = ShortcodeParser::get('default');
 $parser->unregister('embed');
 $parser->register('embed', [EmbedShortcodeProvider::class, 'handle_shortcode']);
 
+if (!Director::isDev()) {
+    $validator = new SecurityPasswordValidator();
+    $validator->setMinLength(8);
+    $validator->maxLength(72);
+    $validator->setHistoricCount(6);
+    $validator->characterStrength(3, [ 'lowercase', 'uppercase', 'digits', 'punctuation' ]);
+    Member::set_password_validator($validator);
+}

app/_config/security.yml

@@ -2,6 +2,18 @@
 Name: 'webapp-security'
 After: 'framework/*, cms/*, security_baseline'
 ---
+SilverStripe\Core\Injector\Injector:
+  SilverStripe\Security\MemberAuthenticator\LostPasswordHandler:
+    class: Site\Extensions\LostPasswordHandlerExtension
+  SilverStripe\Security\MemberAuthenticator\MemberLoginForm:
+    class: Site\Extensions\SiteMemberLoginForm
+---
+Except:
+  environment: dev
+---
+SilverStripe\Forms\PasswordField:
+  autocompleate: false
+
 SilverStripe\Security\Member:
   lock_out_after_incorrect_logins: 5
   lock_out_delay_mins: 5
@@ -9,12 +21,79 @@ SilverStripe\Security\Member:
   # password_expiry_days: 90
   # instead of password change, we send out a notice on change of password OR Email (notify_account_security_change)
   notify_password_change: false
+#######################
+# Security Headers
+#######################
+#Controller:
+#  security_headers:
+#    # # Values may contain :security_reporting_base_url: placeholders, will be replaced with the URL to SecurityBaselineController endpoint
+#    # Header-Directive: "value; another value;"
+#    # X-Version-Alias-Of-Same-Header: "x:Header-Directive" # 'x-alias' headers may be aliased to the standard by a value starting with "x:Standard"
+#    # X-Another-Alias-Version-Of-Same: "different; value syntax as well;"
 
-SilverStripe\Forms\PasswordField:
+#
-  autocompleate: false
+# A useful base from guttmann/silverstripe-security-headers - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers#Security:
+#
 
-SilverStripe\Core\Injector\Injector:
+#    # Content-Security-Policy - https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
-  SilverStripe\Security\MemberAuthenticator\LostPasswordHandler:
+#    # Specifies approved sources of content that the browser may load from your website
-    class: Site\Extensions\LostPasswordHandlerExtension
+#    # Useful: upgrade-insecure-requests; (Instructs browser to treat a site's insecure URLs as if they are HTTPS (eg for legacy sites)
-  SilverStripe\Security\MemberAuthenticator\MemberLoginForm:
+#    # Example: Allow everything but only from the same origin:
-    class: Site\Extensions\SiteMemberLoginForm
+#    Content-Security-Policy: "default-src 'self';"
+#    # Example: Allow Google Analytics, Google AJAX CDN and Same Origin
+#    Content-Security-Policy: "script-src 'self' www.google-analytics.com ajax.googleapis.com;"
+#    # Example: Starter Policy - allows images, scripts, AJAX, form actions, and CSS from the same origin, and does not allow any
+#    # other resources to load (eg object, frame, media, etc). It is a good starting point for many sites.
+#    Content-Security-Policy: "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';base-uri 'self';form-action 'self'"
+
+#    # Content-Security-Policy-Report-Only - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
+#    # Allows web developers to experiment with policies by monitoring (but not enforcing) their effects
+#    # Browsers capable of enforcing CSP will send a violation report as a POST request to report-uri
+#    Content-Security-Policy-Report-Only: default-src https:; report-uri /security-reporting-endpoint/csp/
+#    Content-Security-Policy-Report-Only: "default-src https:; script-src 'self' https: 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self' https: data:; style-src 'self' 'unsafe-inline'; base-uri 'self'; form-action 'self'; report-uri /security-reporting-endpoint/csp/;"
+
+#    # Strict-Transport-Security - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
+#    # Tells the browser to ONLY interact with the site using HTTPS and never HTTP
+#    Strict-Transport-Security: "max-age=31536000" # time in seconds (one year=31536000) to remember that the site is only accessible over HTTPS
+
+#    # Frame-Options - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+#    # Disallowes pages to render within a frame - protects against clickjacking attacks
+#    Frame-Options: "deny"
+
+#    # XSS-Protection - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
+#    # protect against Cross-site Scripting attacks (value 1=sanitize (default in most browsers), set to "1; mode=block" to prevent rendering if attack is detected)
+#    # Deprecated: if you do not need to support legacy browsers, it is recommended that you use Content-Security-Policy without allowing unsafe-inline scripts instead
+#    X-XSS-Protection: "1; mode=block"
+
+#    # X-Content-Type-Options - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
+#    # Indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed
+#    # NOTE: Opting out of MIME sniffing can cause HTML web pages to be downloaded instead of rendered when they are
+#    # served with a MIME type other than text/html. Make sure to set both headers correctly.
+#    # Site security testers usually expect this header to be set.
+#    X-Content-Type-Options: "nosniff"
+
+#
+# Some more from https://help.dreamhost.com/hc/en-us/articles/360036486952-Security-headers
+#
+
+#    # Referrer-Policy - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
+#    # controls how much referrer information should be sent to another server
+#    Referrer-Policy: no-referrer
+
+#    # Feature-Policy - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
+#    # (Experimental 2020) controls which browser features are allowed on your website, eg for sites allowing third-party content
+
+#    # CORS - Allow resource sharing with another domain (eg webfonts & ajax requests)
+#    # Access-Control-Allow-Origin - developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
+
+#
+# A further selection from https://github.com/bepsvpt/secure-headers/blob/master/config/secure-headers.php
+#
+
+# Clear-Site-Data - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Data
+# Clears browsing data (cookies, storage, cache) associated with the requesting website
+
+# Expect-CT - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT
+# Lets sites opt in to reporting and/or enforcement of Certificate Transparency requirements,
+# to prevent the use of misissued certificates for that site from going unnoticed.
+# (will likely become obsolete in June 2021)

app/src/Extensions/SiteMemberLoginForm.php

@@ -4,6 +4,7 @@
 namespace Site\Extensions;
 
 
+use SilverStripe\Control\Director;
 use SilverStripe\Security\MemberAuthenticator\MemberLoginForm;
 
 class SiteMemberLoginForm extends MemberLoginForm
@@ -26,5 +27,9 @@ class SiteMemberLoginForm extends MemberLoginForm
 		$pass = $fields->fieldByName('Password');
 		//$pass->setAttribute('autocomplete', 'current-password');
 		$pass->setAutofocus(true);
+
+		if (Director::isLive()) {
+			$this->enableSpamProtection();
+		}
 	}
 }