Add possible security measures in README

This commit is contained in:
Clement Michaud 2017-10-19 21:51:22 +02:00
parent 869d55dfd1
commit a3560ef8d3
2 changed files with 23 additions and 0 deletions

View File

@ -4,3 +4,4 @@ who commit code to the project are encouraged to add their names
here. Please keep the list sorted by first names here. Please keep the list sorted by first names
Clement Michaud <clement.michaud34@gmail.com> Clement Michaud <clement.michaud34@gmail.com>
Antoine Favre <@n4kre>

View File

@ -221,6 +221,28 @@ that the attacker must also require the certificate to retrieve the cookies.
Note that using [HSTS] has consequences. That's why you should read the blog Note that using [HSTS] has consequences. That's why you should read the blog
post nginx has written on [HSTS]. post nginx has written on [HSTS].
### More protections measures
You can also apply the following headers to your nginx configuration for
improving security. Please read the documentation of those headers before
applying them blindly.
```
# We don't want any credentials / TOTP secret key / QR code to be cached by
# the client
add_header Cache-Control "no-store";
add_header Pragma "no-cache";
# Clickjacking / XSS protection
# We don't want Authelia's login page to be rendered within a <frame>,
# <iframe> or <object> from an external website.
add_header X-Frame-Options "SAMEORIGIN";
# Block pages from loading when they detect reflected XSS attacks.
add_header X-XSS-Protection "1; mode=block";
```
## Documentation ## Documentation
### Authelia configuration ### Authelia configuration
The configuration of the server is defined in the file The configuration of the server is defined in the file