mirror of
https://github.com/a2nt/silverstripe-webpack.git
synced 2024-10-22 17:05:31 +02:00
IMPR: Security hardenings
This commit is contained in:
parent
8f88563bb7
commit
d0a4a479c4
@ -38,3 +38,11 @@ $parser = ShortcodeParser::get('default');
|
||||
$parser->unregister('embed');
|
||||
$parser->register('embed', [EmbedShortcodeProvider::class, 'handle_shortcode']);
|
||||
|
||||
if (!Director::isDev()) {
|
||||
$validator = new SecurityPasswordValidator();
|
||||
$validator->setMinLength(8);
|
||||
$validator->maxLength(72);
|
||||
$validator->setHistoricCount(6);
|
||||
$validator->characterStrength(3, [ 'lowercase', 'uppercase', 'digits', 'punctuation' ]);
|
||||
Member::set_password_validator($validator);
|
||||
}
|
||||
|
@ -2,6 +2,18 @@
|
||||
Name: 'webapp-security'
|
||||
After: 'framework/*, cms/*, security_baseline'
|
||||
---
|
||||
SilverStripe\Core\Injector\Injector:
|
||||
SilverStripe\Security\MemberAuthenticator\LostPasswordHandler:
|
||||
class: Site\Extensions\LostPasswordHandlerExtension
|
||||
SilverStripe\Security\MemberAuthenticator\MemberLoginForm:
|
||||
class: Site\Extensions\SiteMemberLoginForm
|
||||
---
|
||||
Except:
|
||||
environment: dev
|
||||
---
|
||||
SilverStripe\Forms\PasswordField:
|
||||
autocompleate: false
|
||||
|
||||
SilverStripe\Security\Member:
|
||||
lock_out_after_incorrect_logins: 5
|
||||
lock_out_delay_mins: 5
|
||||
@ -9,12 +21,79 @@ SilverStripe\Security\Member:
|
||||
# password_expiry_days: 90
|
||||
# instead of password change, we send out a notice on change of password OR Email (notify_account_security_change)
|
||||
notify_password_change: false
|
||||
#######################
|
||||
# Security Headers
|
||||
#######################
|
||||
#Controller:
|
||||
# security_headers:
|
||||
# # # Values may contain :security_reporting_base_url: placeholders, will be replaced with the URL to SecurityBaselineController endpoint
|
||||
# # Header-Directive: "value; another value;"
|
||||
# # X-Version-Alias-Of-Same-Header: "x:Header-Directive" # 'x-alias' headers may be aliased to the standard by a value starting with "x:Standard"
|
||||
# # X-Another-Alias-Version-Of-Same: "different; value syntax as well;"
|
||||
|
||||
SilverStripe\Forms\PasswordField:
|
||||
autocompleate: false
|
||||
#
|
||||
# A useful base from guttmann/silverstripe-security-headers - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers#Security:
|
||||
#
|
||||
|
||||
SilverStripe\Core\Injector\Injector:
|
||||
SilverStripe\Security\MemberAuthenticator\LostPasswordHandler:
|
||||
class: Site\Extensions\LostPasswordHandlerExtension
|
||||
SilverStripe\Security\MemberAuthenticator\MemberLoginForm:
|
||||
class: Site\Extensions\SiteMemberLoginForm
|
||||
# # Content-Security-Policy - https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
|
||||
# # Specifies approved sources of content that the browser may load from your website
|
||||
# # Useful: upgrade-insecure-requests; (Instructs browser to treat a site's insecure URLs as if they are HTTPS (eg for legacy sites)
|
||||
# # Example: Allow everything but only from the same origin:
|
||||
# Content-Security-Policy: "default-src 'self';"
|
||||
# # Example: Allow Google Analytics, Google AJAX CDN and Same Origin
|
||||
# Content-Security-Policy: "script-src 'self' www.google-analytics.com ajax.googleapis.com;"
|
||||
# # Example: Starter Policy - allows images, scripts, AJAX, form actions, and CSS from the same origin, and does not allow any
|
||||
# # other resources to load (eg object, frame, media, etc). It is a good starting point for many sites.
|
||||
# Content-Security-Policy: "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';base-uri 'self';form-action 'self'"
|
||||
|
||||
# # Content-Security-Policy-Report-Only - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
|
||||
# # Allows web developers to experiment with policies by monitoring (but not enforcing) their effects
|
||||
# # Browsers capable of enforcing CSP will send a violation report as a POST request to report-uri
|
||||
# Content-Security-Policy-Report-Only: default-src https:; report-uri /security-reporting-endpoint/csp/
|
||||
# Content-Security-Policy-Report-Only: "default-src https:; script-src 'self' https: 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self' https: data:; style-src 'self' 'unsafe-inline'; base-uri 'self'; form-action 'self'; report-uri /security-reporting-endpoint/csp/;"
|
||||
|
||||
# # Strict-Transport-Security - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
|
||||
# # Tells the browser to ONLY interact with the site using HTTPS and never HTTP
|
||||
# Strict-Transport-Security: "max-age=31536000" # time in seconds (one year=31536000) to remember that the site is only accessible over HTTPS
|
||||
|
||||
# # Frame-Options - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
|
||||
# # Disallowes pages to render within a frame - protects against clickjacking attacks
|
||||
# Frame-Options: "deny"
|
||||
|
||||
# # XSS-Protection - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
|
||||
# # protect against Cross-site Scripting attacks (value 1=sanitize (default in most browsers), set to "1; mode=block" to prevent rendering if attack is detected)
|
||||
# # Deprecated: if you do not need to support legacy browsers, it is recommended that you use Content-Security-Policy without allowing unsafe-inline scripts instead
|
||||
# X-XSS-Protection: "1; mode=block"
|
||||
|
||||
# # X-Content-Type-Options - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
|
||||
# # Indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed
|
||||
# # NOTE: Opting out of MIME sniffing can cause HTML web pages to be downloaded instead of rendered when they are
|
||||
# # served with a MIME type other than text/html. Make sure to set both headers correctly.
|
||||
# # Site security testers usually expect this header to be set.
|
||||
# X-Content-Type-Options: "nosniff"
|
||||
|
||||
#
|
||||
# Some more from https://help.dreamhost.com/hc/en-us/articles/360036486952-Security-headers
|
||||
#
|
||||
|
||||
# # Referrer-Policy - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
|
||||
# # controls how much referrer information should be sent to another server
|
||||
# Referrer-Policy: no-referrer
|
||||
|
||||
# # Feature-Policy - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
|
||||
# # (Experimental 2020) controls which browser features are allowed on your website, eg for sites allowing third-party content
|
||||
|
||||
# # CORS - Allow resource sharing with another domain (eg webfonts & ajax requests)
|
||||
# # Access-Control-Allow-Origin - developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
|
||||
|
||||
#
|
||||
# A further selection from https://github.com/bepsvpt/secure-headers/blob/master/config/secure-headers.php
|
||||
#
|
||||
|
||||
# Clear-Site-Data - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Data
|
||||
# Clears browsing data (cookies, storage, cache) associated with the requesting website
|
||||
|
||||
# Expect-CT - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT
|
||||
# Lets sites opt in to reporting and/or enforcement of Certificate Transparency requirements,
|
||||
# to prevent the use of misissued certificates for that site from going unnoticed.
|
||||
# (will likely become obsolete in June 2021)
|
||||
|
@ -4,6 +4,7 @@
|
||||
namespace Site\Extensions;
|
||||
|
||||
|
||||
use SilverStripe\Control\Director;
|
||||
use SilverStripe\Security\MemberAuthenticator\MemberLoginForm;
|
||||
|
||||
class SiteMemberLoginForm extends MemberLoginForm
|
||||
@ -26,5 +27,9 @@ class SiteMemberLoginForm extends MemberLoginForm
|
||||
$pass = $fields->fieldByName('Password');
|
||||
//$pass->setAttribute('autocomplete', 'current-password');
|
||||
$pass->setAutofocus(true);
|
||||
|
||||
if (Director::isLive()) {
|
||||
$this->enableSpamProtection();
|
||||
}
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue
Block a user