silverstripe-webpack/app/_config/base-security.yml
2021-03-15 03:45:35 +07:00

106 lines
6.1 KiB
YAML

---
Name: 'webapp-base-security'
After: 'framework/*, cms/*, security_baseline'
---
SilverStripe\Core\Injector\Injector:
SilverStripe\Security\MemberAuthenticator\LostPasswordHandler:
class: App\Extensions\LostPasswordHandlerExtension
SilverStripe\Security\MemberAuthenticator\MemberLoginForm:
class: App\Extensions\SiteMemberLoginForm
---
Except:
environment: dev
---
# Secure cookies
SilverStripe\Control\Session:
cookie_secure: true
strict_user_agent_check: false
timeout: 604800
SilverStripe\Forms\PasswordField:
autocompleate: false
SilverStripe\Security\Member:
lock_out_after_incorrect_logins: 5
lock_out_delay_mins: 5
# Password expiry should only happen when the password is leaked (optionally expire automatically if PCI/NIST compliance is required)
# password_expiry_days: 90
# instead of password change, we send out a notice on change of password OR Email (notify_account_security_change)
notify_password_change: false
#######################
# Security Headers
#######################
#Controller:
# security_headers:
# # # Values may contain :security_reporting_base_url: placeholders, will be replaced with the URL to SecurityBaselineController endpoint
# # Header-Directive: "value; another value;"
# # X-Version-Alias-Of-Same-Header: "x:Header-Directive" # 'x-alias' headers may be aliased to the standard by a value starting with "x:Standard"
# # X-Another-Alias-Version-Of-Same: "different; value syntax as well;"
#
# A useful base from guttmann/silverstripe-security-headers - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers#Security:
#
# # Content-Security-Policy - https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# # Specifies approved sources of content that the browser may load from your website
# # Useful: upgrade-insecure-requests; (Instructs browser to treat a site's insecure URLs as if they are HTTPS (eg for legacy sites)
# # Example: Allow everything but only from the same origin:
# Content-Security-Policy: "default-src 'self';"
# # Example: Allow Google Analytics, Google AJAX CDN and Same Origin
# Content-Security-Policy: "script-src 'self' www.google-analytics.com ajax.googleapis.com;"
# # Example: Starter Policy - allows images, scripts, AJAX, form actions, and CSS from the same origin, and does not allow any
# # other resources to load (eg object, frame, media, etc). It is a good starting point for many sites.
# Content-Security-Policy: "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';base-uri 'self';form-action 'self'"
# # Content-Security-Policy-Report-Only - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
# # Allows web developers to experiment with policies by monitoring (but not enforcing) their effects
# # Browsers capable of enforcing CSP will send a violation report as a POST request to report-uri
# Content-Security-Policy-Report-Only: default-src https:; report-uri /security-reporting-endpoint/csp/
# Content-Security-Policy-Report-Only: "default-src https:; script-src 'self' https: 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self' https: data:; style-src 'self' 'unsafe-inline'; base-uri 'self'; form-action 'self'; report-uri /security-reporting-endpoint/csp/;"
# # Strict-Transport-Security - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
# # Tells the browser to ONLY interact with the site using HTTPS and never HTTP
# Strict-Transport-Security: "max-age=31536000" # time in seconds (one year=31536000) to remember that the site is only accessible over HTTPS
# # Frame-Options - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
# # Disallowes pages to render within a frame - protects against clickjacking attacks
# Frame-Options: "deny"
# # XSS-Protection - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
# # protect against Cross-site Scripting attacks (value 1=sanitize (default in most browsers), set to "1; mode=block" to prevent rendering if attack is detected)
# # Deprecated: if you do not need to support legacy browsers, it is recommended that you use Content-Security-Policy without allowing unsafe-inline scripts instead
# X-XSS-Protection: "1; mode=block"
# # X-Content-Type-Options - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
# # Indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed
# # NOTE: Opting out of MIME sniffing can cause HTML web pages to be downloaded instead of rendered when they are
# # served with a MIME type other than text/html. Make sure to set both headers correctly.
# # Site security testers usually expect this header to be set.
# X-Content-Type-Options: "nosniff"
#
# Some more from https://help.dreamhost.com/hc/en-us/articles/360036486952-Security-headers
#
# # Referrer-Policy - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
# # controls how much referrer information should be sent to another server
# Referrer-Policy: no-referrer
# # Feature-Policy - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
# # (Experimental 2020) controls which browser features are allowed on your website, eg for sites allowing third-party content
# # CORS - Allow resource sharing with another domain (eg webfonts & ajax requests)
# # Access-Control-Allow-Origin - developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
#
# A further selection from https://github.com/bepsvpt/secure-headers/blob/master/config/secure-headers.php
#
# Clear-Site-Data - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Data
# Clears browsing data (cookies, storage, cache) associated with the requesting website
# Expect-CT - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT
# Lets sites opt in to reporting and/or enforcement of Certificate Transparency requirements,
# to prevent the use of misissued certificates for that site from going unnoticed.
# (will likely become obsolete in June 2021)