mirror of
https://github.com/a2nt/silverstripe-webpack.git
synced 2024-10-22 17:05:31 +02:00
106 lines
6.1 KiB
YAML
106 lines
6.1 KiB
YAML
---
|
|
Name: 'webapp-base-security'
|
|
After: 'framework/*, cms/*, security_baseline'
|
|
---
|
|
SilverStripe\Core\Injector\Injector:
|
|
SilverStripe\Security\MemberAuthenticator\LostPasswordHandler:
|
|
class: Site\Extensions\LostPasswordHandlerExtension
|
|
SilverStripe\Security\MemberAuthenticator\MemberLoginForm:
|
|
class: Site\Extensions\SiteMemberLoginForm
|
|
---
|
|
Except:
|
|
environment: dev
|
|
---
|
|
# Secure cookies
|
|
SilverStripe\Control\Session:
|
|
cookie_secure: true
|
|
strict_user_agent_check: false
|
|
timeout: 604800
|
|
|
|
SilverStripe\Forms\PasswordField:
|
|
autocompleate: false
|
|
|
|
SilverStripe\Security\Member:
|
|
lock_out_after_incorrect_logins: 5
|
|
lock_out_delay_mins: 5
|
|
# Password expiry should only happen when the password is leaked (optionally expire automatically if PCI/NIST compliance is required)
|
|
# password_expiry_days: 90
|
|
# instead of password change, we send out a notice on change of password OR Email (notify_account_security_change)
|
|
notify_password_change: false
|
|
#######################
|
|
# Security Headers
|
|
#######################
|
|
#Controller:
|
|
# security_headers:
|
|
# # # Values may contain :security_reporting_base_url: placeholders, will be replaced with the URL to SecurityBaselineController endpoint
|
|
# # Header-Directive: "value; another value;"
|
|
# # X-Version-Alias-Of-Same-Header: "x:Header-Directive" # 'x-alias' headers may be aliased to the standard by a value starting with "x:Standard"
|
|
# # X-Another-Alias-Version-Of-Same: "different; value syntax as well;"
|
|
|
|
#
|
|
# A useful base from guttmann/silverstripe-security-headers - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers#Security:
|
|
#
|
|
|
|
# # Content-Security-Policy - https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
|
|
# # Specifies approved sources of content that the browser may load from your website
|
|
# # Useful: upgrade-insecure-requests; (Instructs browser to treat a site's insecure URLs as if they are HTTPS (eg for legacy sites)
|
|
# # Example: Allow everything but only from the same origin:
|
|
# Content-Security-Policy: "default-src 'self';"
|
|
# # Example: Allow Google Analytics, Google AJAX CDN and Same Origin
|
|
# Content-Security-Policy: "script-src 'self' www.google-analytics.com ajax.googleapis.com;"
|
|
# # Example: Starter Policy - allows images, scripts, AJAX, form actions, and CSS from the same origin, and does not allow any
|
|
# # other resources to load (eg object, frame, media, etc). It is a good starting point for many sites.
|
|
# Content-Security-Policy: "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';base-uri 'self';form-action 'self'"
|
|
|
|
# # Content-Security-Policy-Report-Only - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
|
|
# # Allows web developers to experiment with policies by monitoring (but not enforcing) their effects
|
|
# # Browsers capable of enforcing CSP will send a violation report as a POST request to report-uri
|
|
# Content-Security-Policy-Report-Only: default-src https:; report-uri /security-reporting-endpoint/csp/
|
|
# Content-Security-Policy-Report-Only: "default-src https:; script-src 'self' https: 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self' https: data:; style-src 'self' 'unsafe-inline'; base-uri 'self'; form-action 'self'; report-uri /security-reporting-endpoint/csp/;"
|
|
|
|
# # Strict-Transport-Security - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
|
|
# # Tells the browser to ONLY interact with the site using HTTPS and never HTTP
|
|
# Strict-Transport-Security: "max-age=31536000" # time in seconds (one year=31536000) to remember that the site is only accessible over HTTPS
|
|
|
|
# # Frame-Options - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
|
|
# # Disallowes pages to render within a frame - protects against clickjacking attacks
|
|
# Frame-Options: "deny"
|
|
|
|
# # XSS-Protection - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
|
|
# # protect against Cross-site Scripting attacks (value 1=sanitize (default in most browsers), set to "1; mode=block" to prevent rendering if attack is detected)
|
|
# # Deprecated: if you do not need to support legacy browsers, it is recommended that you use Content-Security-Policy without allowing unsafe-inline scripts instead
|
|
# X-XSS-Protection: "1; mode=block"
|
|
|
|
# # X-Content-Type-Options - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
|
|
# # Indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed
|
|
# # NOTE: Opting out of MIME sniffing can cause HTML web pages to be downloaded instead of rendered when they are
|
|
# # served with a MIME type other than text/html. Make sure to set both headers correctly.
|
|
# # Site security testers usually expect this header to be set.
|
|
# X-Content-Type-Options: "nosniff"
|
|
|
|
#
|
|
# Some more from https://help.dreamhost.com/hc/en-us/articles/360036486952-Security-headers
|
|
#
|
|
|
|
# # Referrer-Policy - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
|
|
# # controls how much referrer information should be sent to another server
|
|
# Referrer-Policy: no-referrer
|
|
|
|
# # Feature-Policy - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
|
|
# # (Experimental 2020) controls which browser features are allowed on your website, eg for sites allowing third-party content
|
|
|
|
# # CORS - Allow resource sharing with another domain (eg webfonts & ajax requests)
|
|
# # Access-Control-Allow-Origin - developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
|
|
|
|
#
|
|
# A further selection from https://github.com/bepsvpt/secure-headers/blob/master/config/secure-headers.php
|
|
#
|
|
|
|
# Clear-Site-Data - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Data
|
|
# Clears browsing data (cookies, storage, cache) associated with the requesting website
|
|
|
|
# Expect-CT - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT
|
|
# Lets sites opt in to reporting and/or enforcement of Certificate Transparency requirements,
|
|
# to prevent the use of misissued certificates for that site from going unnoticed.
|
|
# (will likely become obsolete in June 2021)
|