From edd202c3f81df5d463ea404c8a5ae610d07814a8 Mon Sep 17 00:00:00 2001 From: Thijs Kinkhorst Date: Wed, 29 Nov 2023 14:49:20 +0100 Subject: [PATCH] Start a section on security considerations, primarily for those not using OpenConext-deploy --- README.md | 4 ++++ docs/security.md | 23 +++++++++++++++++++++++ 2 files changed, 27 insertions(+) create mode 100644 docs/security.md diff --git a/README.md b/README.md index 39c7d1c0d..767c8c2b7 100644 --- a/README.md +++ b/README.md @@ -194,6 +194,10 @@ Use these URLs to test your EngineBlock instance: - https://engine.example.com/authentication/proxy/idps-metadata, this should present you with the proxy IdP metadata - https://engine-api.example.com, this should return an empty 200 OK response +### Security + +Please see [security considerations](docs/security.md) to harden your Engineblock after installation. + ## Updating It is recommended practice that you deploy engineblock in a directory that includes the version number and use a diff --git a/docs/security.md b/docs/security.md new file mode 100644 index 000000000..38b827166 --- /dev/null +++ b/docs/security.md @@ -0,0 +1,23 @@ +# Security measures for Engineblock + +## HTTP Headers + +HTTP Headers are set not by Engineblock itself so the deployer needs to set these in +the webserver that serves the EB requests. + +We recommend at least: +* Strict-Transport-Security: max-age= +* X-Content-Type-Options: nosniff +* X-Frame-Options: DENY +* Content-Security-Policy: TODO + +## PHP settings + +We recommend to set `disable_functions` to: + +``` +exec,passthru,shell_exec,system,popen,curl_multi_exec,show_source,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority` +``` + +This is of relevance specifically to limit the scope of what Attribute Manipulations +(which are PHP code) are able to accomplish.