mirror of
https://github.com/opnsense/docs
synced 2024-11-05 06:00:36 +00:00
133 lines
4.8 KiB
ReStructuredText
133 lines
4.8 KiB
ReStructuredText
|
=======================
|
||
|
nginx: Header Hardening
|
||
|
=======================
|
||
|
|
||
|
.. Note::
|
||
|
|
||
|
Except for some specific configuration directives, this is **NOT**
|
||
|
specific to the nginx plugin. Please note that you can also debug your
|
||
|
frontend code this way.
|
||
|
|
||
|
|
||
|
Background Information
|
||
|
======================
|
||
|
|
||
|
HTTP headers can control what a web application is allowed to do and what it is
|
||
|
not. This can be used to harden the web application against some **client side risks**.
|
||
|
|
||
|
|
||
|
Testing Web Applications Using A Local Proxy
|
||
|
============================================
|
||
|
|
||
|
Configuration of Firefox
|
||
|
------------------------
|
||
|
|
||
|
For this tests, you should install and configure FoxyProxy_.
|
||
|
|
||
|
.. _FoxyProxy: https://addons.mozilla.org/de/firefox/addon/foxyproxy-standard/
|
||
|
|
||
|
After it is installed, click on the proxy settings and add a new one:
|
||
|
|
||
|
.. image:: images/zap_foxyproxy.png
|
||
|
|
||
|
As a proxy, enter localhost (or 127.0.0.1 in case localhost does not work) and
|
||
|
the port 8080. Save the settings.
|
||
|
|
||
|
|
||
|
Downloading A Proxy Software For Testing
|
||
|
----------------------------------------
|
||
|
|
||
|
Well known Test tools are:
|
||
|
|
||
|
* OWASP ZAP (https://github.com/zaproxy/zaproxy)
|
||
|
* Burp (https://portswigger.net/burp)
|
||
|
* mitmproxy (https://mitmproxy.org/)
|
||
|
|
||
|
|
||
|
When it is downloaded, you usually have to unpack it into a fitting directory.``
|
||
|
When it is unpacked, you need to run it. In case of ZAP, doubleclick the
|
||
|
``zap.sh`` or ``zap.bat`` depending on your operating system.
|
||
|
|
||
|
Next regenerate and export the certificate under
|
||
|
:menuselection:`Tools --> Options --> Dynamic SSL certificates` and import it into the Firefox
|
||
|
key store (:menuselection:`Preferences --> Data Protection & Security --> Show Certificates`) with
|
||
|
full trust.
|
||
|
|
||
|
Start Testing
|
||
|
-------------
|
||
|
|
||
|
Click on the FoxyProxy icon and select the localhost proxy defined first.
|
||
|
Next just use the application as usual. If you click the red button,
|
||
|
can stop the request in ZAP and it allows you to edit it:
|
||
|
|
||
|
.. image:: images/zap_request.png
|
||
|
|
||
|
When you are done, just click one of the play buttons to disable halting or wait
|
||
|
for the next request / response to edit that as well. For example the response
|
||
|
could look like this one:
|
||
|
|
||
|
.. image:: images/zap_response.png
|
||
|
|
||
|
You can see a lot of important information here like the used protocol (HTTP/1.1),
|
||
|
the status code 200 (which means it was successful) and a lot of headers.
|
||
|
Some of those headers impact security and ZAP will try to make a recommendation,
|
||
|
which may not be always correct but it may help you to find some (forgotten)
|
||
|
issues:
|
||
|
|
||
|
.. image:: images/zap_warnings.png
|
||
|
|
||
|
The colors of the flags show how high the risk is rated so the redder it is,
|
||
|
the more impact it has on security. The left view contains a list of the
|
||
|
findings, the right view contains a detailed description of them.
|
||
|
Based on this information, you have to decide your further actions.
|
||
|
|
||
|
|
||
|
Testing Web Applications Using Developer Tools
|
||
|
==============================================
|
||
|
|
||
|
|
||
|
When you right click on the web site, you can inspect the element but the
|
||
|
opening tools also have a tab for networking.
|
||
|
|
||
|
.. image:: images/firefox_devtools_network.png
|
||
|
|
||
|
The network tab works like the main view of the proxy.
|
||
|
You can see which headers are sent and which ones are received.
|
||
|
The advantage here is that you get some errors on the console tab (for example
|
||
|
if the CSP has an error). The disadvantage of the console is, that is is not so
|
||
|
easy to intercept and modify data.
|
||
|
|
||
|
|
||
|
Inject Missing Headers Via The nginx Plugin
|
||
|
===========================================
|
||
|
|
||
|
Security headers in the nginx plugin can be injected by creating a new security
|
||
|
header configuration:
|
||
|
|
||
|
.. Image:: images/nginx_security_headers.png
|
||
|
|
||
|
If you set a setting here, it will override what the webserver sets.
|
||
|
You can inject this security setting into a location or HTTP server.
|
||
|
|
||
|
You can read about the headers in the `Mozilla Wiki <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers>`_ or in the RFCs.
|
||
|
|
||
|
.. Warning::
|
||
|
|
||
|
Not all headers are supported by all browsers.
|
||
|
|
||
|
In short, the headers are:
|
||
|
|
||
|
========================= ======================================================================
|
||
|
Referrer Control what a page sees when you link on it
|
||
|
XSS Protection Enable or disable the detection for (reflected) XSS
|
||
|
Don't Sniff Content Type Disable content type detection when the original is incorrect
|
||
|
Strict Transport Security TLS only and enforce valid certificate
|
||
|
HPKP Pin the public key, not widely used and dangerous [1]_ if misconfigured
|
||
|
Content Security Policy Controls resources and JS functions
|
||
|
========================= ======================================================================
|
||
|
|
||
|
.. [1] If you switch the certificate without announcing its public key first
|
||
|
via this header in a rollover time span, you will lock this clients out
|
||
|
because they expect being targetted by a MITM attack and refuse the connection
|
||
|
and it is hard to reset this pin in the browser.
|