Improve security and ciphers

saglagla

Hello,

Regarding to :

• https://securityheaders.io
• https://observatory.mozilla.org/analyze/
• https://tls.imirhil.fr/smtp/
• https://tls.imirhil.fr/https/

There is a way to improve security (ciphers, like Content-Security-Policy in https headers by example).
Also, I've notice that each application have his own score which means that reverse-proxy configuration is not iso for each app ? Is it normal ?

girish

@saglagla It should be the same for all apps since Cloudron uses a reverse proxy internally.

I checked my.cloudron.io (cloudron), git.cloudron.io (gitlab), chat.cloudron.io (rocketchat) and forum.cloudron.io (nodebb), files.cloudron.io (nextcloud). I get A for all the domains. The CSP headers have to be ideally set by the upstream app, most of them do not set it (but nextcloud does).

saglagla

@girish said in Improve security and ciphers:

my.cloudron.io

If you check on the mozilla observatory https://observatory.mozilla.org/analyze/my.cloudron.io get a B due to CSP.

Also, if you're using :https://tls.imirhil.fr/ with http test, you'll get a C

girish

@saglagla I see, thanks. The low score seems of https://observatory.mozilla.org/analyze/my.cloudron.io is because of the lack of CSP headers (a big -25!). We used to have CSP but I think @nebulon disabled it. @nebulon do you know why we disabled it?

nebulon

I pushed some CSP changes with https://git.cloudron.io/cloudron/box/commit/573d0e993ea519630aead4880605cd2a985cde82
This is the minimal set of restrictions, which still work for the dashboard code currently.

saglagla

Okay, okay.

Ans, So, each app get his OWN web server ? Okay so it's complicated to uniform the security policy easily...
Also, by example why allowing 3DES ? like DES-CBC3-SHA in all TLS version ?

EDIT : I think every app need to be at a A or A+ grade in order to be validated for cloudron.
Paperwork / Wallabag allow unsecure cookies by exemple :
Session cookie set without the Secure flag, but transmission over HTTP prevented by HSTS

EDIT 2 : Sorry for the twin-post
Also, I'm just trying to follow up all the public recommandation from the french IT Sec agency

saglagla

This post is deleted!

nebulon

I have updated the ciphers now according to mozilla's config generator. The commit is https://git.cloudron.io/cloudron/box/commit/ddaa52163bf3844b36d6c29fdffb5db3e0b3f5d0

For the CSP settings, this indeed cannot properly be done on a platform level, as apps require differently strict settings there and have to provide this on their own, so this should ideally be fixed in each app upstream.