--- Name: 'webapp-base-security' After: 'framework/*, cms/*, security_baseline' --- SilverStripe\Core\Injector\Injector: SilverStripe\Security\MemberAuthenticator\LostPasswordHandler: class: Site\Extensions\LostPasswordHandlerExtension SilverStripe\Security\MemberAuthenticator\MemberLoginForm: class: Site\Extensions\SiteMemberLoginForm --- Except: environment: dev --- # Secure cookies SilverStripe\Control\Session: cookie_secure: true strict_user_agent_check: false timeout: 604800 SilverStripe\Forms\PasswordField: autocompleate: false SilverStripe\Security\Member: lock_out_after_incorrect_logins: 5 lock_out_delay_mins: 5 # Password expiry should only happen when the password is leaked (optionally expire automatically if PCI/NIST compliance is required) # password_expiry_days: 90 # instead of password change, we send out a notice on change of password OR Email (notify_account_security_change) notify_password_change: false ####################### # Security Headers ####################### #Controller: # security_headers: # # # Values may contain :security_reporting_base_url: placeholders, will be replaced with the URL to SecurityBaselineController endpoint # # Header-Directive: "value; another value;" # # X-Version-Alias-Of-Same-Header: "x:Header-Directive" # 'x-alias' headers may be aliased to the standard by a value starting with "x:Standard" # # X-Another-Alias-Version-Of-Same: "different; value syntax as well;" # # A useful base from guttmann/silverstripe-security-headers - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers#Security: # # # Content-Security-Policy - https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP # # Specifies approved sources of content that the browser may load from your website # # Useful: upgrade-insecure-requests; (Instructs browser to treat a site's insecure URLs as if they are HTTPS (eg for legacy sites) # # Example: Allow everything but only from the same origin: # Content-Security-Policy: "default-src 'self';" # # Example: Allow Google Analytics, Google AJAX CDN and Same Origin # Content-Security-Policy: "script-src 'self' www.google-analytics.com ajax.googleapis.com;" # # Example: Starter Policy - allows images, scripts, AJAX, form actions, and CSS from the same origin, and does not allow any # # other resources to load (eg object, frame, media, etc). It is a good starting point for many sites. # Content-Security-Policy: "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';base-uri 'self';form-action 'self'" # # Content-Security-Policy-Report-Only - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only # # Allows web developers to experiment with policies by monitoring (but not enforcing) their effects # # Browsers capable of enforcing CSP will send a violation report as a POST request to report-uri # Content-Security-Policy-Report-Only: default-src https:; report-uri /security-reporting-endpoint/csp/ # Content-Security-Policy-Report-Only: "default-src https:; script-src 'self' https: 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self' https: data:; style-src 'self' 'unsafe-inline'; base-uri 'self'; form-action 'self'; report-uri /security-reporting-endpoint/csp/;" # # Strict-Transport-Security - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security # # Tells the browser to ONLY interact with the site using HTTPS and never HTTP # Strict-Transport-Security: "max-age=31536000" # time in seconds (one year=31536000) to remember that the site is only accessible over HTTPS # # Frame-Options - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options # # Disallowes pages to render within a frame - protects against clickjacking attacks # Frame-Options: "deny" # # XSS-Protection - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection # # protect against Cross-site Scripting attacks (value 1=sanitize (default in most browsers), set to "1; mode=block" to prevent rendering if attack is detected) # # Deprecated: if you do not need to support legacy browsers, it is recommended that you use Content-Security-Policy without allowing unsafe-inline scripts instead # X-XSS-Protection: "1; mode=block" # # X-Content-Type-Options - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options # # Indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed # # NOTE: Opting out of MIME sniffing can cause HTML web pages to be downloaded instead of rendered when they are # # served with a MIME type other than text/html. Make sure to set both headers correctly. # # Site security testers usually expect this header to be set. # X-Content-Type-Options: "nosniff" # # Some more from https://help.dreamhost.com/hc/en-us/articles/360036486952-Security-headers # # # Referrer-Policy - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy # # controls how much referrer information should be sent to another server # Referrer-Policy: no-referrer # # Feature-Policy - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy # # (Experimental 2020) controls which browser features are allowed on your website, eg for sites allowing third-party content # # CORS - Allow resource sharing with another domain (eg webfonts & ajax requests) # # Access-Control-Allow-Origin - developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin # # A further selection from https://github.com/bepsvpt/secure-headers/blob/master/config/secure-headers.php # # Clear-Site-Data - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Data # Clears browsing data (cookies, storage, cache) associated with the requesting website # Expect-CT - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT # Lets sites opt in to reporting and/or enforcement of Certificate Transparency requirements, # to prevent the use of misissued certificates for that site from going unnoticed. # (will likely become obsolete in June 2021)