Securing HTTPS Connections¶
- To secure your RhodeCode Enterprise instance against Cross Frame Scripting exploits, you
should configure your webserver
x-frame-options
setting. - To configure your instance for HTTP Strict Transport Security, you need to
configure the
Strict-Transport-Security
setting.
Nginx¶
In your nginx configuration, add the following lines in the correct files. For more detailed information see the Nginx HTTP Server Configuration section.
# Add this line to the nginx.conf file
add_header X-Frame-Options SAMEORIGIN;
# This line needs to be added inside your virtual hosts block/file
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
Apache¶
In your apache2.conf
file, add the following line. For more detailed
information see the Apache HTTP Server Configuration section.
# Add this to your virtual hosts file
Header always append X-Frame-Options SAMEORIGIN
# Add this line in your virtual hosts file
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
RhodeCode Enterprise Configuration¶
RhodeCode Enterprise can also be configured to force strict https connections and Strict
Transport Security. To set this, configure the following options to true
in the /home/user/.rccontrol/instance-id/rhodecode.ini
file.
## force https in RhodeCode, fixes https redirects, assumes it's always https
force_https = false
## use Strict-Transport-Security headers
use_htsts = false