Header security with GO

Having trouble installing Group-Office? No worries. Help is on the way.

Moderator: Developers

peter_stirnberg
Posts: 263
Joined: Tue Dec 13, 2005 7:57 am

Header security with GO

Postby peter_stirnberg » Thu Sep 29, 2016 4:28 pm

GO messes with some Content-Security-Policy headers, but it's possible to get an "A" with the new Mozilla Observatory. And here is how to do:

Add these lines to your virtual server config. Make sure that the header module is loaded.

Header set Content-Security-Policy: "script-src 'unsafe-inline'"
Header set Content-Security-Policy: "script-src 'unsafe-eval'"
Header set Content-Security-Policy: *
Header set Content-Security-Policy: "frame-ancestors 'self' https://YOUR_DOMAIN"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set Public-Key-Pins "pin-sha256=\"YOUR_PUB_KEY_PIN\"; pin-sha256=\"YOUR_KEY_PIN\"; max-age=2592000; includeSubDomains"
Header set X-XSS-Protection: 1

How to configure public key pinning:

Create hash from certificate:
openssl x509 -in YOUR.crt -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

create hash backup from website:
openssl s_client -connect YOUR_SITE:443 | openssl x509 -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

Copy both hashes as header into your virtual host config as shown above:
Header set Public-Key-Pins "pin-sha256=\"HASH1\"; pin-sha256=\"HASH-BACKUP\"; max-age=2592000; includeSubDomains"

Have Fun

Return to “Installation”

Who is online

Users browsing this forum: No registered users and 1 guest