Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create new config section for web security settings #2815

Merged
merged 4 commits into from
Mar 1, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions NOTES.rst
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,22 @@ existing bug reports, go to https://github.com/uninett/nav/issues .
To see an overview of upcoming release milestones and the issues they resolve,
please go to https://github.com/uninett/nav/milestones .

NAV 5.9
=======

Web security
------------

While it is only relevant for older browsers, the HTTP header
``X-XSS-Protection`` is set to ``1; mode=block``. It does not affect browsers
that do not support it after all.

There's a new section in :file:`webfront/webfront.conf`, ``[security]``. When
running in production with SSL/TLS turned on, there's a new flag ``needs_tls``
that should also be toggled on. This'll turn on secure cookies (only sent over
SSL/TLS). See also the new howto
:doc:`Securing NAV in production </howto/securing-nav-in-production>`.

NAV 5.8
=======

Expand Down
1 change: 1 addition & 0 deletions doc/howto/index.rst
Original file line number Diff line number Diff line change
Expand Up @@ -19,3 +19,4 @@ Howtos
setting-up-logging
using_the_api
api_parameters
securing-nav-in-production
26 changes: 26 additions & 0 deletions doc/howto/securing-nav-in-production.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
==========================
Securing NAV in production
==========================

Overview
========

The default configuration of NAV is set up to work well during development, but
needs to be tightened when running in production.

NAV consists of pages controlled by NAV itself, and pages served directly by
the web server. Security features for NAV's own pages are controlled via the
``[security]``-section in the file :file:`webfront/webfront.conf`, while
security for the other pages are controlled directly by the web server.


SSL/TLS
=======

This needs to be turned on in the webserver itself. While there is no reason to
serve any of NAV without SSL/TLS turned off, it is especially important for the
pages controlled by NAV.

When the server serves NAV with SSL/TLS, ensure that the ``needs_tls``-flag in
the ``[security]``-section is set to ``yes``. This explicitly turns on secure
cookies, which is dependent on SSL being in use.
16 changes: 16 additions & 0 deletions python/nav/django/settings.py
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@
from nav.db import get_connection_parameters
import nav.buildconf
from nav.jwtconf import JWTConf
from nav.web.security import WebSecurityConfigParser

ALLOWED_HOSTS = ['*']

Expand Down Expand Up @@ -252,6 +253,21 @@
'nav.web.info.searchproviders.UnrecognizedNeighborSearchProvider',
]

## Web security options supported by Django
# * https://docs.djangoproject.com/en/3.2/ref/middleware/#module-django.middleware.security
# * https://docs.djangoproject.com/en/3.2/topics/http/sessions/
# * https://docs.djangoproject.com/en/3.2/ref/clickjacking/
#
# Configured in etc/webfront/webfront.conf:
# [security]
# needs_tls = yes

SECURE_BROWSER_XSS_FILTER = True # Does no harm

_websecurity_config = WebSecurityConfigParser()
_needs_tls = bool(_websecurity_config.getboolean('security', 'needs_tls'))
SESSION_COOKIE_SECURE = _needs_tls

# Hack for hackers to use features like debug_toolbar etc.
# https://code.djangoproject.com/wiki/SplitSettings (Rob Golding's method)
if _config_dir:
Expand Down
6 changes: 6 additions & 0 deletions python/nav/etc/webfront/webfront.conf
Original file line number Diff line number Diff line change
Expand Up @@ -130,3 +130,9 @@ enabled = no
# Some remote user systems need to be visited *after* NAV has logged the user
# out. The default/unset value is "/"
#post-logout-redirect-url=/magic/logout?nexthop=/

[security]
# Whether NAV must be run under TLS or not. Toggling this to `yes` toggles web
# security features that are only available with TLS/SSL enabled. In
# development mode this defaults to `no`.
# needs_tls = no
11 changes: 11 additions & 0 deletions python/nav/web/security.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
from pathlib import Path

from nav.config import NAVConfigParser


class WebSecurityConfigParser(NAVConfigParser):
DEFAULT_CONFIG_FILES = [str(Path('webfront') / 'webfront.conf')]
DEFAULT_CONFIG = u"""
[security]
needs_tls=no
"""
Loading