From be4b3cfad2e153bd309e62e66da6f9dedbb8bac9 Mon Sep 17 00:00:00 2001 From: VirtuBox Date: Wed, 25 Sep 2019 00:27:31 +0200 Subject: [PATCH] Fix CORS header * additional security directives --- CHANGELOG.md | 7 +++++++ wo/cli/templates/locations.mustache | 4 ++-- wo/cli/templates/nginx-core.mustache | 2 +- wo/cli/templates/wpcommon.mustache | 10 +++++----- 4 files changed, 15 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3c3d02e..c228cc4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,10 +11,17 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), #### Added - [SECURE] Allow new ssh port with UFW when running `wo secure --sshport` +- [SECURITY] Additional Nginx directives to prevent access to log files or backup from web browser +- [CORE] apt-mirror-updater to select the fastest debian/ubuntu mirror with automatic switching between mirrors if the current mirror is being updated + +#### Changed + +- [SECURITY] Improved sshd_config template according to Mozilla Infosec guidelines #### Fixed - [STACK] UFW setup after removing all stacks with `wo stack purge --all` +- [CONFIG] Invalid CORS header ### v3.9.9 - 2019-09-24 diff --git a/wo/cli/templates/locations.mustache b/wo/cli/templates/locations.mustache index ff9da19..0d9a88a 100644 --- a/wo/cli/templates/locations.mustache +++ b/wo/cli/templates/locations.mustache @@ -12,7 +12,7 @@ location @empty_gif { } # Cache static files location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|webm|mp3|aac|tgz|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp|json|webmanifest)$ { - more_set_headers 'Access-Control-Allow-Origin : "*"'; + more_set_headers 'Access-Control-Allow-Origin : *'; more_set_headers "Cache-Control : public, no-transform"; access_log off; log_not_found off; @@ -20,7 +20,7 @@ location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|rss|atom|jpe? } # Cache css & js files location ~* \.(?:css(\.map)?|js(\.map)?)$ { - more_set_headers 'Access-Control-Allow-Origin : "*"'; + more_set_headers 'Access-Control-Allow-Origin : *'; more_set_headers "Cache-Control : public, no-transform"; access_log off; log_not_found off; diff --git a/wo/cli/templates/nginx-core.mustache b/wo/cli/templates/nginx-core.mustache index dd1db4b..096a599 100644 --- a/wo/cli/templates/nginx-core.mustache +++ b/wo/cli/templates/nginx-core.mustache @@ -66,7 +66,7 @@ http { more_set_headers "X-Frame-Options : SAMEORIGIN"; more_set_headers "X-Xss-Protection : 1; mode=block"; more_set_headers "X-Content-Type-Options : nosniff"; - more_set_headers "Referrer-Policy : strict-origin-when-cross-origin"; + more_set_headers "Referrer-Policy : no-referrer, strict-origin-when-cross-origin"; more_set_headers "X-Download-Options : noopen"; # oscp settings diff --git a/wo/cli/templates/wpcommon.mustache b/wo/cli/templates/wpcommon.mustache index ccc10d7..7323ade 100644 --- a/wo/cli/templates/wpcommon.mustache +++ b/wo/cli/templates/wpcommon.mustache @@ -40,15 +40,15 @@ location @robots { location /wp-content/uploads { location ~ \.(png|jpe?g)$ { add_header Vary "Accept-Encoding"; - add_header "Access-Control-Allow-Origin" "*"; + more_set_headers 'Access-Control-Allow-Origin : *'; add_header Cache-Control "public, no-transform"; access_log off; log_not_found off; expires max; try_files $uri$webp_suffix $uri =404; } - location ~ \.php$ { -#Prevent Direct Access Of PHP Files From Web Browsers + location ~* \.(php|gz|log|zip|tar|rar}$ { + #Prevent Direct Access Of PHP Files & BackupsFrom Web Browsers deny all; } } @@ -56,7 +56,7 @@ location /wp-content/uploads { location /wp-content/plugins/ewww-image-optimizer/images { location ~ \.(png|jpe?g)$ { add_header Vary "Accept-Encoding"; - add_header "Access-Control-Allow-Origin" "*"; + more_set_headers 'Access-Control-Allow-Origin : *'; add_header Cache-Control "public, no-transform"; access_log off; log_not_found off; @@ -72,7 +72,7 @@ location /wp-content/plugins/ewww-image-optimizer/images { location /wp-content/cache { # Cache css & js files location ~* \.(?:css(\.map)?|js(\.map)?|.html)$ { - add_header "Access-Control-Allow-Origin" "*"; + more_set_headers 'Access-Control-Allow-Origin : *'; access_log off; log_not_found off; expires 30d;