1

Topic: securityheaders.com的Security header 檢查

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.9
- Deployed with iRedMail Easy or the downloadable installer? download
- Linux/BSD distribution name and version: CentOS 7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx):Nginx
- Manage mail accounts with iRedAdmin-Pro? 3.6(LDAP)
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
Hi 版主:
經由 securityheaders.com 網站做 header 檢查 出現3個不好訊息:
Missing Headers : Strict-Transport-Security 及 Feature-Policy
Warnings    : Content-Security-Policy

此網站檢查可靠性如何 ? 上面的訊息有需要排除? 如何排除 ?

在 /etc/nginx/conf-enabled/headers.conf  我試過修改及新增下面:
add_header Strict-Transport-Security includeSubdomains;

#add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'";
add_header Content-Security-Policy "default-src https: data: ; script-src 'self'";

add_header Feature-Policy "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'";

經由上面修改 , 是可得到A+ ; 但我的phpLDAPadmin 在操作上"左半面無法正常顯示" , 但功能還可操作.
iRedAdmin-Pro 後端 ,roundcube 皆可正常操作.

感謝.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: securityheaders.com的Security header 檢查

- phpLDAPadmin 已经有几年没有更新了,对这些 header 不支持不足为奇。在增加了这几个 http header 之后的表现不建议作为一种参考。更甚,不建议继续使用 phpLDAPadmin。
- 这几个 header 如果不影响 iRedAdmin-Pro / Roundcube / SOGo 和你自己的 web application 的话,建议加上。