On Monday, December 18, 2017 at 8:32:16 AM UTC-8, torgeriedel wrote: > > Am 18.12.2017 um 09:15 schrieb Jun Omae: > > Hi, > > > > <[email protected]> wrote on 2017-Dec-15 at 06:02 PM: > >> Any such headers need to be configurable, but we want to avoid > configuration option bloat. What we might be able to do is add an > [http-headers] configuration section to trac.ini. We could specify some > common configurations to the documentation. > >> > >> Example configuration: > >> > >> [http-headers] > >> X-Frame-Options = DENY > >> X-XSS-Protection = 1; mode=block > >> > >> The option names as read by ConfigParser are case-insensitive, but I > think that may be okay as it looks like the HTTP headers are also > case-insensitive. > >> > >> I've done a PoC patch against 1.2-stable, but I'll want to hear what > Jun has to say before suggesting this is the right solution, since he has > much more experience with web server internals and configuration. > > > > Good feature. > > > > My suggestions: > > > > 1. Whether http header name is valid like [trac] xsendfile_header > option. > > 2. Whether http header value is valid (the value cannot contain control > characters except TAB and SPACE). > > 3. Ignore some headers, e.g. Content-Type, Content-Length, Location, > ETag, Pragma, Cache-Control, Expires > > 4. I think we should send configured headers for all send_* methods > included send_error(). > > > > See attached patch. > > > > I thought it might be good to allow to overwrite headers like "set" in > mod_headers module but it would not be needed in use-case of Trac. > > > Hi, > > I created a temporary dev env of Trac 1.2.2 with the patch of Jun applied. > I have configured the following headers in trac.ini: > > [http-headers] > Content-Security-Policy = frame-ancestors 'none'; default-src 'none'; > img-src 'self'; script-src 'self'; style-src 'self'; base-uri 'self' > Referrer-Policy = no-referrer > Strict-Transport-Security = max-age=31536000; includeSubDomains > X-Frame-Options = DENY > X-Content-Type-Options = nosniff > X-XSS-Protection = 1; mode=block > > with the headers defined as above trac should get a better rating or > something near to it. > > Well currently the trac test env I have set up is getting an F rating on > observatory.mozilla.org, since https was not in use, a redirect to https > is missing and HSTS was set without https. > > And there is another import point which needs to be adjusted: > > Cookies -40 Session cookie set without using the Secure flag > or set over http > > If used on https the score is "just" -10, but I recommend to add the > secure flag to the cookie trac is setting. >
https://trac.edgewall.org/wiki/TracIni#trac-secure_cookies-option > Is there a chance to get this in a Trac 1.2.3? I recommend setting the > headers above in a default trac.ini created by trac-admin initenv. > Yes, https://trac.edgewall.org/ticket/12964 - Ryan -- You received this message because you are subscribed to the Google Groups "Trac Development" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/trac-dev. For more options, visit https://groups.google.com/d/optout.
