Navigation

    Kopano
    • Register
    • Login
    • Search
    • Categories
    • Get Official Kopano Support
    • Recent
    Statement regarding the closure of the Kopano community forum and the end of the community edition

    webapp and headers compliance.

    Kopano WebApp
    1
    2
    261
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • thctlo
      thctlo last edited by

      Hai…

      I’m setting up a new server with latest devellopment packages on a debian 10 server.
      My goal is to keep the security levels at modern as possible.

      i use this site to validate my settings on header security.
      https://securityheaders.com/ and ssllabs.com for the ssl settings.
      with all settings at A+ levels, the webapp doesnt open the/show the login part.
      site shows up, but, no place to enter your login/pass…

      im seeing the following. ( in webbrower console (F12))
      server.fqdn/:21 :53 :56 (: the line nrs)

      Refused to execute inline script because it violates the following
      Content Security Policy directive: “script-src ‘self’”.
      Either the ‘unsafe-inline’ keyword, a hash (‘sha256-UybDlKMXsBrbiJfasdDFff423wfwefg7zdOAwB+xTj9wCm8XBc=’),
      or a nonce (‘nonce-…’) is required to enable inline execution.

      https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src

      Changing the code here im suspecting its the java script part to a .js file would be just a bit nicer ;-)
      Just reporting it, i dont need a fix, im posting it here so everybody can make it just a bit more secure.

      I’ll lower the security level a bit on the script-src part., so i did set: script-src ‘unsafe-inline’ for now.
      I went from A+ to A… with the message. :
      Content-Security-Policy This policy contains ‘unsafe-inline’ which is dangerous in the script-src directive.

      The current header security setting im using now in as default for the server, might be handy for someone, do note, its a base and has the focus on 1 server setup only.

          Header set X-Content-Type-Options "nosniff"

    # options are deny, sameorigin, allow-from http(s)://www.domain.tld
    Header always append X-Frame-Options "SAMEORIGIN"
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Permitted-Cross-Domain-Policies "none"


    # Referrer-Policy
    # https://scotthelme.co.uk/a-new-security-header-referrer-policy/
    Header set Referrer-Policy "same-origin"

    # Permissions Policy
    # https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/
    Header set Permissions-Policy geolocation=(self)

    # Content-Security-Policy
    # https://scotthelme.co.uk/content-security-policy-an-introduction/
    Header set X-Content-Security-Policy "default-src 'self'; img-src 'self'; style-src 'self'; font-src 'self'; script-src 'unsafe-inline'; connect-src 'self';"
    Header set Content-Security-Policy "default-src 'self'; img-src 'self'; style-src 'self'; font-src 'self'; script-src 'unsafe-inline'; connect-src 'self';"
    # script-src 'unsafe-inline' is set of you dont see the login/password line in webapp

    # You can mitigate most of the common Cross Site Scripting attack using HttpOnly
    # and Secure flag in a cookie. Without having HttpOnly and Secure, it is possible
    # to steal or manipulate web application session and cookies, and it’s dangerous.
    Header edit Set-Cookie: ^(.*)$ $1;HttpOnly;Secure
      thctlo 1 Reply Last reply Reply Quote 0
      • thctlo
        thctlo @thctlo last edited by

        @thctlo i had to turn off CSP completly in order to make it work (for now).
        i’ll have to dig deeper into this to see whats more needed.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post