|
|
|
|
@ -23,6 +23,7 @@ |
|
|
|
|
<li><a href="#3.Using-safe-browsers">Using safe browsers</a></li> |
|
|
|
|
<li><a href="#4.Moving-config-file">Moving your configuration file out of the web directory</a></li> |
|
|
|
|
<li><a href="#5.Files-permissions">Restricting files permissions</a></li> |
|
|
|
|
<li><a href="#6.HSPS">HTTP Headers Security</a></li> |
|
|
|
|
</ol> |
|
|
|
|
|
|
|
|
|
<h2><a name="1.Disclosing-server-info"></a>1. Disclosing server info</h2> |
|
|
|
|
@ -87,6 +88,21 @@ This will prevent direct access to your settings and make it seem totally the sa |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<hr /> |
|
|
|
|
<h2>HTTP Headers Security</h2> |
|
|
|
|
<p>A relatively recent development in web security, HTTP headers can be modified either |
|
|
|
|
from the web server or from the application (like Chamilo) to increase the security |
|
|
|
|
of your visitors.</p> |
|
|
|
|
<p>These implies several aspects, from simple to complex, to deal with, from stuff like |
|
|
|
|
indicating which websites you say media or libraries can be loaded from, to adding |
|
|
|
|
extra info about your SSL certificate to make sure a hacked certification authority |
|
|
|
|
will not immediately make your certificate useless.</p> |
|
|
|
|
<p>In Chamilo 1.11.6, we have added several parameters, together with recommendations, |
|
|
|
|
to main/install/configuration.dist.php, that you are free to use or ignore, |
|
|
|
|
depending on the level of security you want to achieve.</p>> |
|
|
|
|
<p>To check your portal for possible improvements in terms of headers security, |
|
|
|
|
we highly recommend the <a href="https://securityheaders.io/">securityheaders.io</a> |
|
|
|
|
website. If you want to read more about CSP and all related headers |
|
|
|
|
security techniques, check <a href="https://scotthelme.co.uk/">Scott Helme's blog</a>. |
|
|
|
|
<h2>Authors</h2> |
|
|
|
|
<ul> |
|
|
|
|
<li>Yannick Warnier, Zend Certified PHP Engineer, BeezNest Belgium SPRL, |
|
|
|
|
|
Yannick Warnier
8 years ago