27 lines
870 B
Markdown
27 lines
870 B
Markdown
# Reverse proxy configuration
|
|
|
|
A CSP should be defined to block all scripts as the app doesn't need any client
|
|
side scripting. Content-Type-Options prevent misidentifying files as
|
|
stylesheets or scripts.
|
|
|
|
```
|
|
Content-Security-Policy: default-src 'self'; scrip-src 'none'; object-src 'none'
|
|
X-Content-Type-Options: nosniff
|
|
```
|
|
|
|
The reverse proxy must also enforce https, which can be done by redirecting all
|
|
http requests to https and setting the Strict-Transport-Security header.
|
|
|
|
# DOS-attack mitigation
|
|
|
|
The app doesn't do anything against DOS-attacks. You should as a bare minimum
|
|
rate limit the app's endpoint.
|
|
|
|
```
|
|
$ iptables -A INPUT -p tcp -m tcp --syn -m hashlimit \
|
|
--hashlimit-upto 10/sec --hashlimit-burst 10 --hashlimit-mode srcip,dstport \
|
|
--hashlimit-name conn-srcip-dport-rate-limit -j ACCEPT
|
|
```
|
|
|
|
This, for example, would rate limit tcp connections.
|