documentation icon indicating copy to clipboard operation
documentation copied to clipboard
verified publisher icon nextcloud

Update nginx-root.conf.sample

Open tofuSCHNITZEL opened this issue 1 year ago • 5 comments

☑️ Resolves

  • prevents access to grunt, package and composer files that could help an attacker to get information about the system (used packages, version etc.)

tofuSCHNITZEL avatar Aug 29 '24 11:08 tofuSCHNITZEL

You speak of code files? That is then also in the official repositories, no? You can just get the version of a setup from https://example.com/status.php

tflidd avatar Sep 25 '24 12:09 tflidd

You speak of code files? That is then also in the official repositories, no? You can just get the version of a setup from https://example.com/status.php

not sure what you are refering to. These additions tto the nginx.conf prevent information disclosure of the nextcloud installation and were recomended to me after a security audit of my nextcloud install.

tofuSCHNITZEL avatar Sep 25 '24 12:09 tofuSCHNITZEL

Hiding these files will not make your setup more secure. The versions of any part of Nextcloud can be found out in multiple ways which can then be used to figure out the content of these files since everything is publicly available. Also see https://nextcloud.com/security/threat-model/#version-disclosure

provokateurin avatar Sep 28 '24 12:09 provokateurin

Perhaps some of the packaging info can be removed after the packages are built. (most of the files you excluded already reside in folders that are excluded as well).

tflidd avatar Oct 01 '24 07:10 tflidd

Those files are kept for legal/license reasons to trace back dependencies.

provokateurin avatar Oct 01 '24 08:10 provokateurin