sandcastle

sandcastle copied to clipboard

we could look at porting hardening.io's nginx hardening scripts to ansible. they have chef and puppet implementations and even a test suite

• https://github.com/hardening-io?utf8=%E2%9C%93&query=nginx

Looking at the spec though, it might not be worth the trouble (although I'm sure would be useful to others if we ported it over): https://github.com/hardening-io/tests-nginx-hardening/blob/master/default/serverspec/nginx_spec.rb

Would be pretty quick to add these parameters to our nginx config

Can we find any more resources on a secure nginx setup?

lets take a look at the headers that securedrop has set: https://github.com/freedomofpress/securedrop/blob/2a3c93cf0fa3be87cd77bc8be2ebfb9ced2fc54f/install_files/ansible-base/roles/app/templates/sites-available/source.conf

they aggressively disable caching for example. might be a good idea