Securing HTTPS Connections¶
- To secure your RhodeCode Enterprise instance against Cross Frame Scripting exploits, you
should configure your webserver
- To configure your instance for HTTP Strict Transport Security, you need to
In your nginx configuration, add the following lines in the correct files. For more detailed information see the Nginx HTTP Server Configuration section.
# Add this line to the nginx.conf file add_header X-Frame-Options SAMEORIGIN; # This line needs to be added inside your virtual hosts block/file add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
apache2.conf file, add the following line. For more detailed
information see the Apache HTTP Server Configuration section.
# Add this to your virtual hosts file Header always append X-Frame-Options SAMEORIGIN # Add this line in your virtual hosts file Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
RhodeCode Enterprise Configuration¶
RhodeCode Enterprise can also be configured to force strict https connections and Strict
Transport Security. To set this, configure the following options to
## force https in RhodeCode, fixes https redirects, assumes it's always https force_https = false ## use Strict-Transport-Security headers use_htsts = false