CopyBot/mediacms
1
0
Fork 0
mirror of https://github.com/mediacms-io/mediacms.git synced 2025-11-20 13:36:05 -05:00
Code Issues Packages Projects Releases Wiki Activity

feat: Bulk fixes (#1195)

Browse Source 
remove ckeditor - not in use
add more strict default password validators
set Django admin as configurable URL
add nginx HSTS and CSP headers
enable moving from private to unlisted in the PORTAL_WORKFLOW private
on default comments listing, show only comments for public media
in case of a private media, dont expose any unneeded metadata
This commit is contained in:
Markos Gogoulos
2025-02-13 13:41:53 +02:00
committed by GitHub
parent 5402ee7bc5
commit 3a8cacc847
13 changed files with 151 additions and 120 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
deploy/docker/nginx_http_only.conf
View File

@@ -6,6 +6,26 @@ server {
error_log /var/log/nginx/mediacms.io.error.log warn;
# HSTS header
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# CSP header
add_header Content-Security-Policy "
default-src 'self';
script-src 'self';
style-src 'self';
img-src 'self' data: blob:;
media-src 'self' blob:;
frame-src 'self';
font-src 'self';
connect-src 'self';
object-src 'none';
frame-ancestors 'self';
form-action 'self';
base-uri 'self';
upgrade-insecure-requests;
" always;
location /static {
alias /home/mediacms.io/mediacms/static ;
}

22
deploy/local_install/mediacms.io
View File

@@ -17,6 +17,26 @@ server {
# rewrite ^/(.*)$ https://localhost/$1 permanent;
# }
# HSTS header
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# CSP header
add_header Content-Security-Policy "
default-src 'self';
script-src 'self';
style-src 'self';
img-src 'self' data: blob:;
media-src 'self' blob:;
frame-src 'self';
font-src 'self';
connect-src 'self';
object-src 'none';
frame-ancestors 'self';
form-action 'self';
base-uri 'self';
upgrade-insecure-requests;
" always;
location /static {
alias /home/mediacms.io/mediacms/static ;
}
@@ -49,7 +69,7 @@ server {
ssl_dhparam /etc/nginx/dhparams/dhparams.pem;
ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_ecdh_curve secp521r1:secp384r1;
ssl_prefer_server_ciphers on;