Closed
Bug 1287197
Opened 9 years ago
Closed 9 years ago
Implement proper HTTP security headers on mailman instances
Categories
(Infrastructure & Operations :: Infrastructure: Mail, task)
Infrastructure & Operations
Infrastructure: Mail
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: April, Assigned: limed)
References
Details
Ed, can you please implement the following headers on mail and lists?
Content-Security-Policy: frame-ancestors 'none'
Strict-Transport-Security: max-age=31536000
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
It's my understanding that's simply fronted by Apache, so it would look like this:
Header set X-Frame-Options "max-age=31536000"
(and so on)
Thanks!
|
Assignee | |
Comment 1•9 years ago
|
||
Probably can get to this next week (Friday, probably shouldn't do it right now)
|
Reporter | |
Comment 2•9 years ago
|
||
Thanks, Ed. I appreciate it! *tips her hat*
|
|
Assignee | |
Comment 3•9 years ago
|
||
So I have a question about this
> X-Frame-Options: DENY
Wouldn't using SAMEORIGIN be safer? Just reading the docs here since I'm not familiar with some of these headers and I would like to be sure if I set these settings that I don't break the site
|
|
Reporter | |
Comment 4•9 years ago
|
||
Either one is fine; SAMEORIGIN is only needed if the site frames itself. Either one prevents *other* sites from framing it.
|
|
Assignee | |
Comment 5•9 years ago
|
||
Added these headers in apache config:
# Security header [Bug 1287197]
Header set Strict-Transport-Security "max-age=31536000"
Header set X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options "nosniff"
Header set Content-Security-Policy "frame-ancestors 'self';"
Verified:
$ curl -I https://mail.mozilla.org/listinfo
HTTP/1.1 200 OK
Date: Mon, 18 Jul 2016 18:44:22 GMT
Server: Apache
X-Backend-Server: mailman1.mail.scl3.mozilla.com
Strict-Transport-Security: max-age=31536000
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'self';
Connection: close
Content-Type: text/html; charset=us-ascii
$ curl -I https://lists.mozilla.org/listinfo
HTTP/1.1 200 OK
Date: Mon, 18 Jul 2016 18:46:01 GMT
Server: Apache
X-Backend-Server: mailman2.mail.scl3.mozilla.com
Strict-Transport-Security: max-age=31536000
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'self';
Connection: close
Content-Type: text/html; charset=us-ascii
Also as a bonus I have disabled server signatures
|
|
Assignee | |
Updated•9 years ago
|
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Comment 6•9 years ago
|
||
Thanks so much, Ed!
|
|
Reporter | |
Updated•9 years ago
|
Group: mozilla-employee-confidential
You need to log in
before you can comment on or make changes to this bug.
Description
•