Start a section on security considerations, primarily for those not u…

…sing OpenConext-deploy
OpenConext · Nov 29, 2023 · edd202c · edd202c
1 parent de2f660
commit edd202c
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -194,6 +194,10 @@ Use these URLs to test your EngineBlock instance:
 - https://engine.example.com/authentication/proxy/idps-metadata, this should present you with the proxy IdP metadata
 - https://engine-api.example.com, this should return an empty 200 OK response
 
+### Security
+
+Please see [security considerations](docs/security.md) to harden your Engineblock after installation.
+
 ## Updating
 
 It is recommended practice that you deploy engineblock in a directory that includes the version number and use a

diff --git a/docs/security.md b/docs/security.md
@@ -0,0 +1,23 @@
+# Security measures for Engineblock
+
+## HTTP Headers
+
+HTTP Headers are set not by Engineblock itself so the deployer needs to set these in
+the webserver that serves the EB requests.
+
+We recommend at least:
+* Strict-Transport-Security: max-age=<high enough value>
+* X-Content-Type-Options: nosniff
+* X-Frame-Options: DENY
+* Content-Security-Policy: TODO
+
+## PHP settings
+
+We recommend to set `disable_functions` to:
+
+```
+exec,passthru,shell_exec,system,popen,curl_multi_exec,show_source,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority`
+```
+
+This is of relevance specifically to limit the scope of what Attribute Manipulations
+(which are PHP code) are able to accomplish.