255 security

config/nginx/conf.d/nginx.conf

@@ -1,11 +1,16 @@
 # nginx config for deployment on server, including SSL/TLS setup
 
+server_tokens off;
+
 server {
     listen 8080;
 
     server_name monitoring.localzero.net monitoring-test.localzero.net;
 
     client_max_body_size 100m;
+    add_header Content-Security-Policy "default-src 'self'";
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+    add_header Cache-Control "no-store";
 
     location / {
         # pass requests for dynamic content to gunicorn

config/settings/container.py

@@ -11,3 +11,6 @@
 CSRF_TRUSTED_ORIGINS = get_env("DJANGO_CSRF_TRUSTED_ORIGINS").split(",")
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = get_env("DJANGO_DEBUG") == "True"
+SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
+SESSION_COOKIE_SECURE = True
+CSRF_COOKIE_SECURE = True

cpmonitor/static/js/localzero.js

@@ -1,3 +1,6 @@
+document.getElementById("nav-burger").addEventListener("click", toggleMobile);
+document.getElementById("menu-item-toggleable").addEventListener("click", toggleSubmenu);
+
 function toggleMobile() {
     document.getElementById('site-menu').classList.toggle('shownow');
 }

cpmonitor/templates/base.html

@@ -15,7 +15,6 @@
     </title>
     <link rel="stylesheet" href="{% static 'tabler/css/tabler.css' %}">
     <link rel="stylesheet" href="{% static 'css/localzero.css' %}">
-    <script src="{% static 'js/localzero.js' %}"></script>
     <link rel="stylesheet" href="{% static 'css/main.css' %}">
     <script src="{% static 'jquery/jquery.min.js' %}"></script>
     <script src="{% static 'tabler/js/tabler.min.js' %}" defer></script>
@@ -42,7 +41,7 @@
                 <li class="menu-item">
                   <a href="{% url 'ueber-uns' %}">Über uns</a>
                 </li>
-                <li class="menu-item" onclick="toggleSubmenu(event)">
+                <li class="menu-item" id="menu-item-toggleable">
                   <a role="button">Kommunen</a>
                   <ul class="sub-menu">
                     {% for city in cities %}
@@ -60,7 +59,7 @@
                href="{% url 'jetzt-spenden' %}"
                type="button">Jetzt spenden</a>
           </div>
-          <div id="nav-burger" class="nav-burger" onclick="toggleMobile()">
+          <div id="nav-burger" class="nav-burger">
             <div>
               <div class="hamburger"></div>
               <div class="hamburger"></div>
@@ -112,5 +111,6 @@
       </footer>
     </div>
     <script src="{% static 'js/main.js' %}"></script>
+    <script src="{% static 'js/localzero.js' %}"></script>
   </body>
 </html>

docker/reverseproxy/conf.d/nginx.conf

@@ -1,4 +1,5 @@
 server_names_hash_bucket_size  64;
+server_tokens off;
 
 server {
     listen 443 ssl;
@@ -13,6 +14,7 @@ server {
         proxy_pass http://$nginx:8080;
         proxy_set_header Host $host;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
     }
 
     include /etc/nginx/conf.d/ssl.conf;
@@ -31,6 +33,7 @@ server {
         proxy_pass http://$nginx:8080;
         proxy_set_header Host $host;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
     }
 
     include /etc/nginx/conf.d/ssl.conf;