Skip to content
Snippets Groups Projects
Commit cf208330 authored by Ciaran Ainsworth's avatar Ciaran Ainsworth
Browse files

Update the post with context about the Nginx headers and a link to the reports.

parent 1fee899b
No related branches found
No related tags found
1 merge request!13Add quick scan report summary
Pipeline #18133 passed
Stage: build
Stage: deploy
Show whitespace changes
Inline Side-by-side
content/security-quick-scan.md
+ 4
4
View file @ cf208330
...@@ -11,11 +11,11 @@ As many of you know, we received some [backing from NLNet]({filename}/blog-post- ...@@ -11,11 +11,11 @@ As many of you know, we received some [backing from NLNet]({filename}/blog-post-
Due to the [change of maintainers]({filename}/funkwhale-is-looking-for-new-maintainers.md) and the subsequent handover of duties, we've not had time to publish the results of this report and the actions we took to address the issues raised. Since things have calmed down a bit, let's go through these here! Due to the [change of maintainers]({filename}/funkwhale-is-looking-for-new-maintainers.md) and the subsequent handover of duties, we've not had time to publish the results of this report and the actions we took to address the issues raised. Since things have calmed down a bit, let's go through these here!
You can read the full report [here](). You can read the full report [here](https://nextcloud.funkwhale.audio/s/daSiMtE6SqSq5R7).
## Issues and actions ## Issues and actions
NLNet's security report involved a quick penetration test performed by an independent security company. Its goal was to point out common exploits present in our app. The report highlighted **4** issues. Of these, **3** are **Resolved**. The last issue we have decided we are **Not doing**. Let's get into the details. NLNet's security report involved a quick penetration test performed by an independent security company. Its goal was to point out common exploits present in our app. The report highlighted **4** issues. Of these, **2** are **Resolved**. The other **2** we have decided we are **Not doing**. Let's get into the details.
### Input validations are not secure enough ### Input validations are not secure enough
...@@ -64,9 +64,9 @@ NLNet suggested that we implement improved security headers in our default Nginx ...@@ -64,9 +64,9 @@ NLNet suggested that we implement improved security headers in our default Nginx
#### Our response #### Our response
We've implemented several improvements to our Nginx config since this report was done. Notably, the header they suggested we use was already present in our config, so no action was required. We've implemented several improvements to our Nginx config since this report was done. Notably, the suggested header (`"Strict-Transport-Security: max-age=31536000"`) is present in our config already. We do not use the `includeSubDomains` option as we don't think this is a choice we should make for our users. Users can add this to their config if they want a little extra security!
* Status: **Resolved**. * Status: **Not Doing**.
* Issue link: <https://dev.funkwhale.audio/funkwhale/funkwhale/-/issues/1493> * Issue link: <https://dev.funkwhale.audio/funkwhale/funkwhale/-/issues/1493>
That's it for now! We'll try to be quicker with these summaries in future. Thank you for bearing with us 🙏 That's it for now! We'll try to be quicker with these summaries in future. Thank you for bearing with us 🙏
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment