Commit cf208330 authored by Ciaran Ainsworth's avatar Ciaran Ainsworth
Browse files

Update the post with context about the Nginx headers and a link to the reports.

parent 1fee899b
Pipeline #18133 passed with stages
in 2 minutes and 4 seconds
......@@ -11,11 +11,11 @@ As many of you know, we received some [backing from NLNet]({filename}/blog-post-
Due to the [change of maintainers]({filename}/funkwhale-is-looking-for-new-maintainers.md) and the subsequent handover of duties, we've not had time to publish the results of this report and the actions we took to address the issues raised. Since things have calmed down a bit, let's go through these here!
You can read the full report [here]().
You can read the full report [here](https://nextcloud.funkwhale.audio/s/daSiMtE6SqSq5R7).
## Issues and actions
NLNet's security report involved a quick penetration test performed by an independent security company. Its goal was to point out common exploits present in our app. The report highlighted **4** issues. Of these, **3** are **Resolved**. The last issue we have decided we are **Not doing**. Let's get into the details.
NLNet's security report involved a quick penetration test performed by an independent security company. Its goal was to point out common exploits present in our app. The report highlighted **4** issues. Of these, **2** are **Resolved**. The other **2** we have decided we are **Not doing**. Let's get into the details.
### Input validations are not secure enough
......@@ -64,9 +64,9 @@ NLNet suggested that we implement improved security headers in our default Nginx
#### Our response
We've implemented several improvements to our Nginx config since this report was done. Notably, the header they suggested we use was already present in our config, so no action was required.
We've implemented several improvements to our Nginx config since this report was done. Notably, the suggested header (`"Strict-Transport-Security: max-age=31536000"`) is present in our config already. We do not use the `includeSubDomains` option as we don't think this is a choice we should make for our users. Users can add this to their config if they want a little extra security!
* Status: **Resolved**.
* Status: **Not Doing**.
* Issue link: <https://dev.funkwhale.audio/funkwhale/funkwhale/-/issues/1493>
That's it for now! We'll try to be quicker with these summaries in future. Thank you for bearing with us 🙏
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment