feat: security baseline changes

cfpb · Apr 24, 2024 · 9e57e00 · 9e57e00
1 parent ad8b6a5
commit 9e57e00
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 5 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -14,7 +14,9 @@ RUN apk update; apk upgrade
 RUN rm -rf /etc/nginx/conf.d
 COPY nginx /etc/nginx
 COPY --from=build-stage /usr/src/app/dist /usr/share/nginx/html
-RUN adduser -S $NGINX_USER nginx && \
+# Security Basline - The `sed` was added to meet requirement 17
+RUN sed -i '/Faithfully yours/d' /usr/share/nginx/html/50x.html && \
+    adduser -S $NGINX_USER nginx && \
     addgroup -S $NGINX_USER && \
     addgroup $NGINX_USER $NGINX_USER && \
     touch /run/nginx.pid && \

diff --git a/nginx/nginx.conf b/nginx/nginx.conf
@@ -36,7 +36,10 @@ http {
   large_client_header_buffers 4 8k;
   client_body_timeout 60s;
   client_header_timeout 60s;
-  send_timeout 60s;
+  # Security Basline - Added to meet requirement 14
+  keepalive_timeout 10s;
+  # Security Basline - Added to meet requirement 15
+  send_timeout 10s;
 
   include mime.types;
   include /etc/nginx/useragent.rules;
@@ -56,16 +59,22 @@ http {
   server {
     listen 8080;
     root /usr/share/nginx/html/;
+    # Security Basline - Changed to meet requirement 
     autoindex off;
     access_log /dev/stdout;
-    gzip on;
-    gzip_types application/javascript text/css application/json;
+    #gzip on;
+    #gzip_types application/javascript text/css application/json;
+    # Security Basline - Changed to meet requirement 4
+    gzip off;
     sendfile on;
     tcp_nopush on;
     tcp_nodelay on;
     expires $expires;
     limit_conn addr 8;
 
+    # Security Basline - Added to meet requirement 39
+    if ($request_method !~ ^(GET|HEAD|OPTIONS)$) { return 444; }
+
     # Prevent access from nasty user agents
     if ($badagent) {
        return 403;
@@ -97,11 +106,14 @@ http {
       try_files '' /index.html;
     }
 
+    # Security Basline - Added to meet requirement 19
+    location ~ /\. { deny all; return 404; }
+
     # deny running scripts inside core system folders
     location ~* /(system|vendor)/.*\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 418; }
 
     # deny running scripts inside user folder
     location ~* /user/.*\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 418; }
   }
 
-}
+}