datarekisteri/README.md

# Reverse proxy configuration

A CSP should be defined to block all scripts as the app doesn't need any client
side scripting. Content-Type-Options prevent misidentifying files as
stylesheets or scripts.

```
Content-Security-Policy: default-src 'self'; scrip-src 'none'; object-src 'none'
X-Content-Type-Options: nosniff
```

The reverse proxy must also enforce https, which can be done by redirecting all
http requests to https and setting the Strict-Transport-Security header.

# DOS-attack mitigation

The app doesn't do anything against DOS-attacks. You should as a bare minimum
rate limit the app's endpoint.

```
$ iptables -A INPUT -p tcp -m tcp --syn -m hashlimit \
  --hashlimit-upto 10/sec --hashlimit-burst 10 --hashlimit-mode srcip,dstport \
  --hashlimit-name conn-srcip-dport-rate-limit -j ACCEPT
```

This, for example, would rate limit tcp connections.
Initial commit 2023-01-20 09:20:06 +02:00			`# Reverse proxy configuration`

			`A CSP should be defined to block all scripts as the app doesn't need any client`
			`side scripting. Content-Type-Options prevent misidentifying files as`
			`stylesheets or scripts.`

			```
			`Content-Security-Policy: default-src 'self'; scrip-src 'none'; object-src 'none'`
			`X-Content-Type-Options: nosniff`
			```

			`The reverse proxy must also enforce https, which can be done by redirecting all`
			`http requests to https and setting the Strict-Transport-Security header.`

			`# DOS-attack mitigation`

			`The app doesn't do anything against DOS-attacks. You should as a bare minimum`
			`rate limit the app's endpoint.`

			```
			`$ iptables -A INPUT -p tcp -m tcp --syn -m hashlimit \`
			`--hashlimit-upto 10/sec --hashlimit-burst 10 --hashlimit-mode srcip,dstport \`
			`--hashlimit-name conn-srcip-dport-rate-limit -j ACCEPT`
			```

			`This, for example, would rate limit tcp connections.`