mirrors/hedgedoc
1
0
Fork 0
mirror of https://github.com/hedgedoc/hedgedoc.git synced 2025-05-13 06:34:39 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix: set HSTS preload attribute to false by default

Browse source 
See <https://hstspreload.org/#opt-in> for more information
why this is important.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
This commit is contained in:
Erik Michelson 2025-02-01 22:50:23 +01:00
parent 71854a882f
commit 72c233b233
3 changed files with 11 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

6
docs/content/configuration.md
View file

@ -78,12 +78,12 @@ these are rarely used for various reasons.
## Web security aspects ## Web security aspects
| config file | environment | **default** and example value | description | | config file | environment | **default** and example value | description |
| ----------------------------- | ------------------------------ |-------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |-------------------------------|--------------------------------|-------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `hsts` | | `{"enable": true, "maxAgeSeconds": 31536000, "includeSubdomains": true, "preload": true}` | [HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) options to use with HTTPS (default is the example value, max age is a year) | | `hsts` | | `{"enable": true, "maxAgeSeconds": 31536000, "includeSubdomains": true, "preload": true}` | [HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) options to use with HTTPS (default is the example value, max age is a year) |
| | `CMD_HSTS_ENABLE` | **`true`** or `false` | set to enable [HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) if HTTPS is also enabled (default is ` true`) | | | `CMD_HSTS_ENABLE` | **`true`** or `false` | set to enable [HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) if HTTPS is also enabled (default is ` true`) |
| | `CMD_HSTS_INCLUDE_SUBDOMAINS` | **`true`** or `false` | set to include subdomains in HSTS (default is `true`) | | | `CMD_HSTS_INCLUDE_SUBDOMAINS` | **`true`** or `false` | set to include subdomains in HSTS (default is `false`) |
| | `CMD_HSTS_MAX_AGE` | **`31536000`**, `60 * 60 * 24 * 365` | max duration in seconds to tell clients to keep HSTS status (default is a year) | | | `CMD_HSTS_MAX_AGE` | **`31536000`**, `60 * 60 * 24 * 365` | max duration in seconds to tell clients to keep HSTS status (default is a year) |
| | `CMD_HSTS_PRELOAD` | **`true`** or `false` | whether to allow preloading of the site's HSTS status (e.g. into browsers) | | | `CMD_HSTS_PRELOAD` | `true` or **`false`** | whether to allow preloading of the site's HSTS status (e.g. into browsers) |
| `csp` | | `{"enable": true, "addDefaults": true}` | Nested object to configure the Content Security Policy | | `csp` | | `{"enable": true, "addDefaults": true}` | Nested object to configure the Content Security Policy |
| `csp.enable` | `CMD_CSP_ENABLE` | **`true`** or `false` | Whether to apply a `Content-Security-Policy` header to responses. We don't recommend disabling this option, as it significantly reduces the security of the application. | | `csp.enable` | `CMD_CSP_ENABLE` | **`true`** or `false` | Whether to apply a `Content-Security-Policy` header to responses. We don't recommend disabling this option, as it significantly reduces the security of the application. |
| `csp.addDefaults` | | **`true`** or `false` | Disable to not include the default CSP. Be careful, this will break the application if the correct directives are not set manually. | | `csp.addDefaults` | | **`true`** or `false` | Disable to not include the default CSP. Be careful, this will break the application if the correct directives are not set manually. |

2
lib/config/default.js
View file

@ -15,7 +15,7 @@ module.exports = {
enable: true, enable: true,
maxAgeSeconds: 60 * 60 * 24 * 365, maxAgeSeconds: 60 * 60 * 24 * 365,
includeSubdomains: true, includeSubdomains: true,
preload: true preload: false
}, },
csp: { csp: {
enable: true, enable: true,

7
public/docs/release-notes.md
View file

@ -2,13 +2,18 @@
## <i class="fa fa-tag"></i> 1.x.x <i class="fa fa-calendar-o"></i> UNRELEASED ## <i class="fa fa-tag"></i> 1.x.x <i class="fa fa-calendar-o"></i> UNRELEASED
### Features This release changes the default configuration of the HSTS preload attribute to false for compliance with the
HSTS preload list requirements. This shouldn't impact any instance. However, if you intend to use HSTS preloading
you should enable the config setting `hsts.preload` or set environment variable `CMD_HSTS_PRELOAD=true`.
### Enhancements
- Add fixed rate-limiting to the login and register endpoints - Add fixed rate-limiting to the login and register endpoints
- Add configurable rate-limiting to the new notes endpoint - Add configurable rate-limiting to the new notes endpoint
### Bugfixes ### Bugfixes
- Fix a crash when cannot read user profile in Oauth - Fix a crash when cannot read user profile in Oauth
- Fix CSP Header for mermaid embedded images ([#5887](https://github.com/hedgedoc/hedgedoc/pull/5887) by [@domrim](https://github.com/domrim)) - Fix CSP Header for mermaid embedded images ([#5887](https://github.com/hedgedoc/hedgedoc/pull/5887) by [@domrim](https://github.com/domrim))
- Change default of HSTS preload to false for compliance with the HSTS preload list requirements
## <i class="fa fa-tag"></i> 1.10.0 <i class="fa fa-calendar-o"></i> 2024-09-01 ## <i class="fa fa-tag"></i> 1.10.0 <i class="fa fa-calendar-o"></i> 2024-09-01