Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: security baseline changes #414

Merged
merged 3 commits into from May 1, 2024
Merged

feat: security baseline changes #414

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
9e57e00
feat: security baseline changes
Apr 24, 2024
ba74559
Merge branch 'main' into security-baseline
gduncklee Apr 30, 2024
1f804e8
Merge branch 'main' into security-baseline
gduncklee May 1, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
4 changes: 3 additions & 1 deletion Dockerfile
View file
Open in desktop
Expand Up @@ -14,7 +14,9 @@ RUN apk update; apk upgrade
RUN rm -rf /etc/nginx/conf.d
COPY nginx /etc/nginx
COPY --from=build-stage /usr/src/app/dist /usr/share/nginx/html
RUN adduser -S $NGINX_USER nginx && \
# Security Basline - The `sed` was added to meet requirement 17
RUN sed -i '/Faithfully yours/d' /usr/share/nginx/html/50x.html && \
adduser -S $NGINX_USER nginx && \
addgroup -S $NGINX_USER && \
addgroup $NGINX_USER $NGINX_USER && \
touch /run/nginx.pid && \
Expand Down
20 changes: 16 additions & 4 deletions nginx/nginx.conf
View file
Open in desktop
Expand Up @@ -36,7 +36,10 @@ http {
large_client_header_buffers 4 8k;
client_body_timeout 60s;
client_header_timeout 60s;
send_timeout 60s;
# Security Basline - Added to meet requirement 14
keepalive_timeout 10s;
# Security Basline - Added to meet requirement 15
send_timeout 10s;

include mime.types;
include /etc/nginx/useragent.rules;
Expand All @@ -56,16 +59,22 @@ http {
server {
listen 8080;
root /usr/share/nginx/html/;
# Security Basline - Changed to meet requirement
autoindex off;
access_log /dev/stdout;
gzip on;
gzip_types application/javascript text/css application/json;
#gzip on;
#gzip_types application/javascript text/css application/json;
# Security Basline - Changed to meet requirement 4
gzip off;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
expires $expires;
limit_conn addr 8;

# Security Basline - Added to meet requirement 39
if ($request_method !~ ^(GET|HEAD|OPTIONS)$) { return 444; }

# Prevent access from nasty user agents
if ($badagent) {
return 403;
Expand Down Expand Up @@ -97,11 +106,14 @@ http {
try_files '' /index.html;
}

# Security Basline - Added to meet requirement 19
location ~ /\. { deny all; return 404; }

# deny running scripts inside core system folders
location ~* /(system|vendor)/.*\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 418; }

# deny running scripts inside user folder
location ~* /user/.*\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 418; }
}

}
}