Skip to content

Commit

Permalink
Document the new config section
Browse files Browse the repository at this point in the history
  • Loading branch information
hmpf committed Feb 28, 2024
1 parent ae7882d commit 1370289
Show file tree
Hide file tree
Showing 3 changed files with 43 additions and 0 deletions.
16 changes: 16 additions & 0 deletions NOTES.rst
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,22 @@ existing bug reports, go to https://github.com/uninett/nav/issues .
To see an overview of upcoming release milestones and the issues they resolve,
please go to https://github.com/uninett/nav/milestones .

NAV 5.9
=======

Web security
------------

While it is only relevant for older browsers, the HTTP header
``X-XSS-Protection`` is set to ``1; mode=block``. It does not affect browsers
that do not support it after all.

There's a new section in :file:`webfront/webfront.conf`, ``[security]``. When
running in production with SSL/TLS turned on, there's a new flag ``needs_tls``
that should also be toggled on. This'll turn on secure cookies (only sent over
SSL/TLS). See also the new howto
:doc:`Securing NAV in production </howto/securing-nav-in-production>`.

NAV 5.8
=======

Expand Down
1 change: 1 addition & 0 deletions doc/howto/index.rst
Original file line number Diff line number Diff line change
Expand Up @@ -19,3 +19,4 @@ Howtos
setting-up-logging
using_the_api
api_parameters
securing-nav-in-production
26 changes: 26 additions & 0 deletions doc/howto/securing-nav-in-production.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
==========================
Securing NAV in production
==========================

Overview
========

The default configuration of NAV is set up to work well during development, but
needs to be tightened when running in production.

NAV consists of pages controlled by NAV itself, and pages served directly by
the web server. Security features for NAV's own pages are controlled via the
``[security]``-section in the file :file:`webfront/webfront.conf`, while
security for the other pages are controlled directly by the web server.


SSL/TLS
=======

This needs to be turned on in the webserver itself. While there is no reason to
serve any of NAV without SSL/TLS turned off, it is especially important for the
pages controlled by NAV.

When the server serves NAV with SSL/TLS, ensure that the ``needs_tls``-flag in
the ``[security]``-section is set to ``yes``. This explicitly turns on secure
cookies, which is dependent on SSL being in use.

0 comments on commit 1370289

Please sign in to comment.