SOLVED Improve security and ciphers
Regarding to :
There is a way to improve security (ciphers, like Content-Security-Policy in https headers by example).
Also, I've notice that each application have his own score which means that reverse-proxy configuration is not iso for each app ? Is it normal ?
@saglagla It should be the same for all apps since Cloudron uses a reverse proxy internally.
I checked my.cloudron.io (cloudron), git.cloudron.io (gitlab), chat.cloudron.io (rocketchat) and forum.cloudron.io (nodebb), files.cloudron.io (nextcloud). I get
Afor all the domains. The CSP headers have to be ideally set by the upstream app, most of them do not set it (but nextcloud does).
If you check on the mozilla observatory https://observatory.mozilla.org/analyze/my.cloudron.io get a B due to CSP.
Also, if you're using :https://tls.imirhil.fr/ with http test, you'll get a C
@saglagla I see, thanks. The low score seems of https://observatory.mozilla.org/analyze/my.cloudron.io is because of the lack of CSP headers (a big -25!). We used to have CSP but I think @nebulon disabled it. @nebulon do you know why we disabled it?
I pushed some CSP changes with https://git.cloudron.io/cloudron/box/commit/573d0e993ea519630aead4880605cd2a985cde82
This is the minimal set of restrictions, which still work for the dashboard code currently.
Ans, So, each app get his OWN web server ? Okay so it's complicated to uniform the security policy easily...
Also, by example why allowing 3DES ? like DES-CBC3-SHA in all TLS version ?
EDIT : I think every app need to be at a A or A+ grade in order to be validated for cloudron.
Paperwork / Wallabag allow unsecure cookies by exemple :
Session cookie set without the Secure flag, but transmission over HTTP prevented by HSTS
EDIT 2 : Sorry for the twin-post
Also, I'm just trying to follow up all the public recommandation from the french IT Sec agency
This post is deleted!
I have updated the ciphers now according to mozilla's config generator. The commit is https://git.cloudron.io/cloudron/box/commit/ddaa52163bf3844b36d6c29fdffb5db3e0b3f5d0
For the CSP settings, this indeed cannot properly be done on a platform level, as apps require differently strict settings there and have to provide this on their own, so this should ideally be fixed in each app upstream.