Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Questionable control 16 #21

Open
rndmh3ro opened this issue Jan 31, 2018 · 4 comments
Open

Questionable control 16 #21

rndmh3ro opened this issue Jan 31, 2018 · 4 comments

Comments

@rndmh3ro
Copy link
Member

Control 16 adds a check for set_cookie_flag. Looking at this option it seems you can only activate this if you use the nginx_cookie_flag_module. And to activate it you need to compile nginx from source.

I'm not sure that compiling nginx from source and using a third-party module really improves security, especially if you look at the problems this setting can cause: https://unix.stackexchange.com/a/307479

In my opinion this control should be deleted. Setting cookies should be part of a secure application, not the webserver.

control 'nginx-16' do
  impact 1.0
  title 'Set cookie with HttpOnly and Secure flag'
  desc 'You can mitigate most of the common Cross Site Scripting attack using HttpOnly and Secure flag in a cookie. Without having HttpOnly and Secure, it is possible to steal or manipulate web application session and cookies and it’s dangerous.'
  describe parse_config_file(nginx_hardening, options_add_header) do
    its('content') { should match(/^\s*set_cookie_flag * HttpOnly secure;$/) }
  end
end
@woneill
Copy link
Contributor

woneill commented May 8, 2018

I've run into this issue as well and end up skipping this control across the board.

I'm also questioning nginx-14 since it's assuming the if test of $request_method has been added to /etc/nginx/nginx.conf. Since that kind of test needs to be inside a server block, I don't see how this test could ever work.

@chris-rock
Copy link
Member

We could introduce attributes to make tests optional. If a test is not working, we should remove it

@rndmh3ro
Copy link
Member Author

I think, making tests optional is a good idea! However I also think that this test should the be off by default (opt-in) since building nginx from source is IMO still not a good idea.

@chris-rock
Copy link
Member

Thank you @woneill @rndmh3ro for bringing up that question. I agree that we should try to stick to vendor supported compiled versions and try to squeeze the most secure configuration out of it. If we change the default behavior, we need to bump it to 3.x

@atomic111 It like to get your perspective on that? We could make this an optional tests as @woneill has done in his PR #26

@chris-rock chris-rock mentioned this issue Nov 21, 2018
Merged
chris-rock added a commit that referenced this issue Nov 21, 2018
@chris-rock
Merge pull request #26 from woneill/optional_tests
a23b568 
Make nginx-14 and nginx-16 disabled by default based on #21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@chris-rock @woneill @rndmh3ro