Added some security headers and changed the TLS settings

AmadeusITGroup · Apr 12, 2023 · 92ec3ed · 92ec3ed
1 parent ac74fa4
commit 92ec3ed
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 3 deletions.
diff --git a/backend/src/app.js b/backend/src/app.js
@@ -1,9 +1,21 @@
 var fs = require('fs');
 var app = require('express')();
+
 var https = require('https').Server({
   key: fs.readFileSync(__dirname+'/../ssl/server.key'),
-  cert: fs.readFileSync(__dirname+'/../ssl/server.cert')
+  cert: fs.readFileSync(__dirname+'/../ssl/server.cert'),
+
+  // TLS Versions
+	maxVersion: 'TLSv1.3',
+	minVersion: 'TLSv1.2',
+
+	// Hardened configuration
+	ciphers: 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384',
+
+	honorCipherOrder: false
 }, app);
+app.disable('x-powered-by');
+
 var io = require('socket.io')(https, {
   cors: {
     origin: "*"
@@ -91,6 +103,12 @@ app.use(function(req, res, next) {
   next();
 });
 
+// CSP
+app.use(function(req, res, next) {
+  res.header("Content-Security-Policy", "default-src 'none'; form-action 'none'; base-uri 'self'; frame-ancestors 'none'; sandbox; require-trusted-types-for 'script';");
+  next();
+});
+
 app.use(bodyParser.json({limit: '100mb'}));
 app.use(bodyParser.urlencoded({
   limit: '10mb',

diff --git a/frontend/.docker/nginx.conf b/frontend/.docker/nginx.conf
@@ -3,8 +3,16 @@ server {
     server_name         localhost;
     ssl_certificate     /etc/nginx/ssl/server.cert;
     ssl_certificate_key /etc/nginx/ssl/server.key;
-    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
-    ssl_ciphers         HIGH:!aNULL:!MD5;
+
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+    ssl_session_tickets off;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+
+    server_tokens off;
 
     #charset koi8-r;
     #access_log  /var/log/nginx/host.access.log  main;