ry
/
datarekisteri
6
0
Fork 0
Code Issues 10 Pull Requests Packages Projects Releases Wiki Activity
Yhdistyksen jäsenrekisterin lähdekoodi https://rekisteri.datat.fi
1 Commit 2 Branches 0 Tags 450 KiB
Haskell 71%
Scheme 29%
Go to file
Saku Laesvuori cbf619c370
Initial commit 		2023-01-31 23:17:49 +02:00
Client Initial commit 2023-01-31 23:17:49 +02:00
Server Initial commit 2023-01-31 23:17:49 +02:00
db Initial commit 2023-01-31 23:17:49 +02:00
Client.hs Initial commit 2023-01-31 23:17:49 +02:00
PrintSchema.hs Initial commit 2023-01-31 23:17:49 +02:00
README.md Initial commit 2023-01-31 23:17:49 +02:00
Server.hs Initial commit 2023-01-31 23:17:49 +02:00
Setup.hs Initial commit 2023-01-31 23:17:49 +02:00
datarekisteri.cabal Initial commit 2023-01-31 23:17:49 +02:00
guix.scm Initial commit 2023-01-31 23:17:49 +02:00
schema.gql Initial commit 2023-01-31 23:17:49 +02:00

README.md

Reverse proxy configuration

A CSP should be defined to block all scripts as the app doesnt need any client side scripting. Content-Type-Options prevent misidentifying files as stylesheets or scripts.

Content-Security-Policy: default-src 'self'; scrip-src 'none'; object-src 'none'
X-Content-Type-Options: nosniff

The reverse proxy must also enforce https, which can be done by redirecting all http requests to https and setting the Strict-Transport-Security header.

DOS-attack mitigation

The app doesnt do anything against DOS-attacks. You should as a bare minimum rate limit the apps endpoint.

$ iptables -A INPUT -p tcp -m tcp --syn -m hashlimit \
  --hashlimit-upto 10/sec --hashlimit-burst 10 --hashlimit-mode srcip,dstport \
  --hashlimit-name conn-srcip-dport-rate-limit -j ACCEPT

This, for example, would rate limit tcp connections.