From 1370289c912bc1a8664884173234f37ce96a22e9 Mon Sep 17 00:00:00 2001 From: Hanne Moa Date: Tue, 27 Feb 2024 08:23:12 +0100 Subject: [PATCH] Document the new config section --- NOTES.rst | 16 +++++++++++++++ doc/howto/index.rst | 1 + doc/howto/securing-nav-in-production.rst | 26 ++++++++++++++++++++++++ 3 files changed, 43 insertions(+) create mode 100644 doc/howto/securing-nav-in-production.rst diff --git a/NOTES.rst b/NOTES.rst index e4d60b4584..f33a5356d0 100644 --- a/NOTES.rst +++ b/NOTES.rst @@ -8,6 +8,22 @@ existing bug reports, go to https://github.com/uninett/nav/issues . To see an overview of upcoming release milestones and the issues they resolve, please go to https://github.com/uninett/nav/milestones . +NAV 5.9 +======= + +Web security +------------ + +While it is only relevant for older browsers, the HTTP header +``X-XSS-Protection`` is set to ``1; mode=block``. It does not affect browsers +that do not support it after all. + +There's a new section in :file:`webfront/webfront.conf`, ``[security]``. When +running in production with SSL/TLS turned on, there's a new flag ``needs_tls`` +that should also be toggled on. This'll turn on secure cookies (only sent over +SSL/TLS). See also the new howto +:doc:`Securing NAV in production `. + NAV 5.8 ======= diff --git a/doc/howto/index.rst b/doc/howto/index.rst index 4369b4f994..9e45bd2fbd 100644 --- a/doc/howto/index.rst +++ b/doc/howto/index.rst @@ -19,3 +19,4 @@ Howtos setting-up-logging using_the_api api_parameters + securing-nav-in-production diff --git a/doc/howto/securing-nav-in-production.rst b/doc/howto/securing-nav-in-production.rst new file mode 100644 index 0000000000..f53774a3c8 --- /dev/null +++ b/doc/howto/securing-nav-in-production.rst @@ -0,0 +1,26 @@ +========================== +Securing NAV in production +========================== + +Overview +======== + +The default configuration of NAV is set up to work well during development, but +needs to be tightened when running in production. + +NAV consists of pages controlled by NAV itself, and pages served directly by +the web server. Security features for NAV's own pages are controlled via the +``[security]``-section in the file :file:`webfront/webfront.conf`, while +security for the other pages are controlled directly by the web server. + + +SSL/TLS +======= + +This needs to be turned on in the webserver itself. While there is no reason to +serve any of NAV without SSL/TLS turned off, it is especially important for the +pages controlled by NAV. + +When the server serves NAV with SSL/TLS, ensure that the ``needs_tls``-flag in +the ``[security]``-section is set to ``yes``. This explicitly turns on secure +cookies, which is dependent on SSL being in use.