1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-24 15:52:41 +01:00
phorge-phorge/src/applications
epriestley 751ffe123d Support HTTP Strict Transport Security
Summary:
Ref T4340. The attack this prevents is:

  - An adversary penetrates your network. They acquire one of two capabilities:
    - Your server is either configured to accept both HTTP and HTTPS, and they acquire the capability to observe HTTP traffic.
    - Or your server is configured to accept only HTTPS, and they acquire the capability to control DNS or routing. In this case, they start a proxy server to expose your secure service over HTTP.
  - They send you a link to `http://secure.service.com` (note HTTP, not HTTPS!)
  - You click it since everything looks fine and the domain is correct, not noticing that the "s" is missing.
  - They read your traffic.

This is similar to attacks where `https://good.service.com` is proxied to `https://good.sorvace.com` (i.e., a similar looking domain), but can be more dangerous -- for example, the browser will send (non-SSL-only) cookies and the attacker can write cookies.

This header instructs browsers that they can never access the site over HTTP and must always use HTTPS, defusing this class of attack.

Test Plan:
  - Configured HTTPS locally.
  - Accessed site over HTTP (got application redirect) and HTTPS.
  - Enabled HSTS.
  - Accessed site over HTTPS (to set HSTS).
  - Tore down HTTPS part of the server and tried to load the site over HTTP. Browser refused to load "http://" and automatically tried to load "https://". In another browser which had not received the "HSTS" header, loading over HTTP worked fine.
  - Brought the HTTPS server back up, things worked fine.
  - Turned off the HSTS config setting.
  - Loaded a page (to set HSTS with expires 0, diabling it).
  - Tore down the HTTPS part of the server again.
  - Tried to load HTTP.
  - Now it worked.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T4340

Differential Revision: https://secure.phabricator.com/D11820
2015-02-19 10:33:48 -08:00
..
almanac Fix pht method calls 2015-02-10 18:57:45 +11:00
aphlict/management Fix visibility of PhutilArgumentWorkflow::didConstruct methods 2015-01-16 07:42:07 +11:00
arcanist/conduit Fix a method call in arcanist.projectinfo 2015-02-02 14:38:40 -08:00
audit Touch up Audit/Commit List UI 2015-02-19 07:03:18 -08:00
auth Allow logged-out users to accept invites on nonpublic installs 2015-02-13 11:00:41 -08:00
base Legalpad - allow for legalpad documents to be required to be signed for using Phabricator 2015-02-12 15:22:56 -08:00
cache Fix visiblity of LiskDAO::getConfiguration() 2015-01-14 06:54:13 +11:00
calendar Policy - filter app engines where the user can't see the application from panel editing 2015-02-04 15:47:48 -08:00
celerity Legalpad - allow for legalpad documents to be required to be signed for using Phabricator 2015-02-12 15:22:56 -08:00
chatlog Remove getIconName from all applications 2015-01-30 12:11:21 -08:00
conduit Fix pht method calls 2015-02-10 18:57:45 +11:00
config Support HTTP Strict Transport Security 2015-02-19 10:33:48 -08:00
conpherence Improve error messaging for empty Conpherence threads 2015-02-16 11:31:00 -08:00
console Move DarkConsole to an application 2014-10-13 11:17:09 -07:00
countdown Policy - filter app engines where the user can't see the application from panel editing 2015-02-04 15:47:48 -08:00
daemon Fix a minor issue with killing daemons 2015-02-17 14:20:57 -08:00
dashboard Add ability to query dashboard panels by paneltype 2015-02-18 10:50:37 -08:00
differential Have DifferentialRevisionListView return ObjectBoxView 2015-02-19 08:11:17 -08:00
diffusion Improve visibility of repository credential errors 2015-02-19 10:32:25 -08:00
diviner Fix undefined variable 2015-02-19 07:23:01 +11:00
doorkeeper Add getGroup to ConfigOptions 2015-02-09 13:10:56 -08:00
draft/storage Fix visiblity of LiskDAO::getConfiguration() 2015-01-14 06:54:13 +11:00
drydock Policy - filter app engines where the user can't see the application from panel editing 2015-02-04 15:47:48 -08:00
fact PHUIErrorView 2015-02-01 20:14:56 -08:00
feed Add getGroup to ConfigOptions 2015-02-09 13:10:56 -08:00
files Improve config option documentation for Imagemagick 2015-02-17 15:31:20 -08:00
flag Policy - filter app engines where the user can't see the application from panel editing 2015-02-04 15:47:48 -08:00
fund MetaMTA - update documentation and make config a tad easier 2015-02-12 11:05:39 -08:00
harbormaster Add getGroup to ConfigOptions 2015-02-09 13:10:56 -08:00
help Update Phabricator header to use FontAwesome 2014-12-04 13:01:23 -08:00
herald Policy - filter app engines where the user can't see the application from panel editing 2015-02-04 15:47:48 -08:00
home Allow Home and Dashboards to be uninstalled 2015-02-11 15:24:54 -08:00
legalpad Legalpad - make "Cancel" button "Log Out" button for required signature documents 2015-02-18 13:19:07 -08:00
lipsum Apply some autofix linter rules 2014-09-10 06:55:05 +10:00
macro Lock all reply-handler options in the upstream, plus cookie prefix 2015-02-13 11:00:09 -08:00
mailinglists Add a policy restricting mailing list management 2015-02-17 11:14:26 -08:00
maniphest Add crumb border to maniphest reposrts 2015-02-15 18:13:24 -08:00
meta MetaMTA - update documentation and make config a tad easier 2015-02-12 11:05:39 -08:00
metamta MetaMTA - update documentation and make config a tad easier 2015-02-12 11:05:39 -08:00
notification Force Aphlict server connections to HTTP 2015-02-18 07:07:26 -08:00
nuance Remove getIconName from all applications 2015-01-30 12:11:21 -08:00
oauthserver OAuth - make sure users know they are exposing their primary email address 2015-02-17 14:19:33 -08:00
owners Lock all reply-handler options in the upstream, plus cookie prefix 2015-02-13 11:00:09 -08:00
passphrase Policy - filter app engines where the user can't see the application from panel editing 2015-02-04 15:47:48 -08:00
paste Add getGroup to ConfigOptions 2015-02-09 13:10:56 -08:00
people Conduit - return primary email if its verified in user methods 2015-02-17 14:13:49 -08:00
phame Add getGroup to ConfigOptions 2015-02-09 13:10:56 -08:00
phid MetaMTA - add (basic) application emails and deploy to Maniphest 2015-01-19 16:07:26 -08:00
phlux Remove getIconName from all applications 2015-01-30 12:11:21 -08:00
pholio Lock all reply-handler options in the upstream, plus cookie prefix 2015-02-13 11:00:09 -08:00
phortune Phortune - require high security sessions for subscription edits 2015-02-18 11:37:30 -08:00
phpast Use PhutilXHPASTBinary methods 2015-02-03 06:59:16 +11:00
phragment PHUIErrorView 2015-02-01 20:14:56 -08:00
phrequent Add getGroup to ConfigOptions 2015-02-09 13:10:56 -08:00
phriction MetaMTA - update documentation and make config a tad easier 2015-02-12 11:05:39 -08:00
policy Reject objects with invalid policies instead of fataling 2015-02-10 06:16:42 -08:00
ponder Policy - filter app engines where the user can't see the application from panel editing 2015-02-04 15:47:48 -08:00
project Project - don't create the empty tag on create anymore 2015-02-17 15:03:57 -08:00
releeph Add getGroup to ConfigOptions 2015-02-09 13:10:56 -08:00
remarkup/conduit Rename Conduit classes 2014-07-25 10:54:15 +10:00
repository Improve visibility of repository credential errors 2015-02-19 10:32:25 -08:00
search Dashboards - introduce ability to optionally allow SearchEngines to be used as dashboard panels 2015-02-11 13:43:59 -08:00
settings Update Phabricator to work with more modular translations 2015-02-11 13:02:35 -08:00
slowvote Policy - filter app engines where the user can't see the application from panel editing 2015-02-04 15:47:48 -08:00
subscriptions Allow public on list of subscribers 2015-02-18 11:11:12 -08:00
support/application Implement the getName method in PhabricatorApplication subclasses 2014-07-23 23:52:50 +10:00
system Fix visibility of PhutilArgumentWorkflow::didConstruct methods 2015-01-16 07:42:07 +11:00
tokens Remove getIconName from all applications 2015-01-30 12:11:21 -08:00
transactions Policy - add an explanation for automatic capabilities for transactions and transaction comments 2015-02-02 14:41:50 -08:00
typeahead Projects - tokenize [ProjectX] so "projectX" is a match 2015-01-09 14:09:13 -08:00
uiexample Add bigtext option to PHUIActionPanelView 2015-02-09 07:27:54 -08:00
xhprof Set Header on XHProf ObjectBox 2015-02-18 16:03:02 -08:00