From edc4fe3826bdbe7766b549047c1bd6bd99a29212 Mon Sep 17 00:00:00 2001 From: Vivek Singh Date: Thu, 20 May 2021 14:33:35 +0530 Subject: [PATCH 1/4] Apache sets up README by putting auto indexing. This is mis-construed and frowned upon by some security testers. --- bahmni-web/scripts/postinstall.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/bahmni-web/scripts/postinstall.sh b/bahmni-web/scripts/postinstall.sh index 50ccd670..1fdb184f 100644 --- a/bahmni-web/scripts/postinstall.sh +++ b/bahmni-web/scripts/postinstall.sh @@ -89,11 +89,16 @@ setupOfflineMetadata(){ ln -s /opt/bahmni-web/etc/offlineMetadata.json /var/www/html/offlineMetadata.json } +removeAutoIndexConf(){ + mv /etc/httpd/conf.d/autoindex.conf /tmp/ +} + setupConfFiles setupCacheDir setupClientSideLogging setupApps setupOfflineMetadata +removeAutoIndexConf if [[ "${IMPLEMENTATION_NAME:-default}" = "default" ]]; then setupConfigs From 41333ae56a22ae2c50e0bf5808ec54a08e549e68 Mon Sep 17 00:00:00 2001 From: Vivek Singh Date: Wed, 2 Jun 2021 11:45:05 +0530 Subject: [PATCH 2/4] disable CSRF on all bahmni applications by making the SameSite strict --- bahmni-web/resources/ssl.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/bahmni-web/resources/ssl.conf b/bahmni-web/resources/ssl.conf index e01c4f6a..37aed934 100644 --- a/bahmni-web/resources/ssl.conf +++ b/bahmni-web/resources/ssl.conf @@ -109,6 +109,8 @@ SSLCryptoDevice builtin +Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Strict + ## ## SSL Virtual Host Context ## From 1242fb6f0f4c94a57596d65a295051c3add037eb Mon Sep 17 00:00:00 2001 From: Vivek Singh Date: Fri, 11 Jun 2021 13:32:07 +0530 Subject: [PATCH 3/4] Replace Location header field in response with https corresponding value. Without this CSRF SameSite settings will not send the cookie on redirects. OpenMRS redirects after legacy login to http instead of https (because OpenMRS knows only http because of ssl termination on apache). Referer header is unset to protect against referred based javascript/html/css attacks. --- bahmni-web/resources/ssl.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/bahmni-web/resources/ssl.conf b/bahmni-web/resources/ssl.conf index 37aed934..73f5dbbd 100644 --- a/bahmni-web/resources/ssl.conf +++ b/bahmni-web/resources/ssl.conf @@ -110,6 +110,8 @@ SSLCryptoDevice builtin Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Strict +Header edit Location ^http://(.*)$ https://$1 +RequestHeader unset Referer ## ## SSL Virtual Host Context From 23e1e06d9fcdcfee12e504511e173bf8138bd06e Mon Sep 17 00:00:00 2001 From: Vivek Singh Date: Tue, 22 Jun 2021 17:39:10 +0530 Subject: [PATCH 4/4] The recommended Security headers --- bahmni-web/resources/ssl.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/bahmni-web/resources/ssl.conf b/bahmni-web/resources/ssl.conf index 73f5dbbd..6de0e711 100644 --- a/bahmni-web/resources/ssl.conf +++ b/bahmni-web/resources/ssl.conf @@ -112,6 +112,8 @@ SSLCryptoDevice builtin Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Strict Header edit Location ^http://(.*)$ https://$1 RequestHeader unset Referer +Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains" +Header always set X-Frame-Options "deny" ## ## SSL Virtual Host Context