Yhdistyksen jäsenrekisterin lähdekoodi
https://rekisteri.datat.fi
Saku Laesvuori
cbf619c370
|
||
|---|---|---|
| Client | ||
| Server | ||
| db | ||
| Client.hs | ||
| PrintSchema.hs | ||
| README.md | ||
| Server.hs | ||
| Setup.hs | ||
| datarekisteri.cabal | ||
| guix.scm | ||
| schema.gql | ||
README.md
Reverse proxy configuration
A CSP should be defined to block all scripts as the app doesn’t need any client side scripting. Content-Type-Options prevent misidentifying files as stylesheets or scripts.
Content-Security-Policy: default-src 'self'; scrip-src 'none'; object-src 'none'
X-Content-Type-Options: nosniff
The reverse proxy must also enforce https, which can be done by redirecting all http requests to https and setting the Strict-Transport-Security header.
DOS-attack mitigation
The app doesn’t do anything against DOS-attacks. You should as a bare minimum rate limit the app’s endpoint.
$ iptables -A INPUT -p tcp -m tcp --syn -m hashlimit \
--hashlimit-upto 10/sec --hashlimit-burst 10 --hashlimit-mode srcip,dstport \
--hashlimit-name conn-srcip-dport-rate-limit -j ACCEPT
This, for example, would rate limit tcp connections.