EPrints Technical Mailing List Archive

Message: #09390

Re: [EP-tech] referrer policy and permission policy (headers)

To: <eprints-tech@ecs.soton.ac.uk>, Matthew Kerwin <matthew.kerwin@qut.edu.au>
Subject: Re: [EP-tech] referrer policy and permission policy (headers)
From: David R Newman <drn@ecs.soton.ac.uk>
Date: Thu, 7 Sep 2023 00:33:04 +0100

Hi Tomasz and Matty,

I have written the following page on the EPrints wiki about Apache hardening for EPrints.

https://wiki.eprints.org/w/Apache_Hardening

For referrer policy I think the setting is still appropriate but different to what has been discussed. However, the permission policy probably needs to be updated to be incorporated into the Content Security Policy (CSP). However, designing a CSP can be difficult, as you may have bits you want to set at an application level, some bits at a virtualhost level and then some bits at an request level. Ensuring the finalised CSP header is all correct for all types of request has been a tricky task in my experience [1]. Also how EPrints manages requests make it tricky to modify headers in EPrints code/config.

Regards

David Newman
[1] https://httpd.apache.org/docs/2.4/mod/mod_headers.html

On 06/09/2023 10:54 pm, Matthew Kerwin wrote:

CAUTION: This e-mail originated outside the University of Southampton.

CAUTION: This e-mail originated outside the University of Southampton.

QUT ePrints (https://eprints.qut.edu.au/) does send those and other security-focused response header fields.

I’ve found the Mozilla Developer Network is consistently a good resource for describing options, e.g. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy

Cheers

--
Matty Kerwin (he/him)

Web Developer
EDR Development
Digital Business Solutions

Queensland University of Technology
Email: matthew.kerwin@qut.edu.au
KG-X232, Kelvin Grove Campus

From: eprints-tech-request@ecs.soton.ac.uk <eprints-tech-request@ecs.soton.ac.uk> On Behalf Of Tomasz Neugebauer
Sent: Thursday, September 7, 2023 6:27 AM
To: eprints-tech@ecs.soton.ac.uk
Subject: [EP-tech] referrer policy and permission policy (headers)

CAUTION: This e-mail originated outside the University of Southampton.

CAUTION: This e-mail originated outside the University of Southampton.

Does anyone have a referrer policy header (see: https://scotthelme.co.uk/a-new-security-header-referrer-policy/) and/or a permission policy header (https://www.w3.org/TR/permissions-policy-1/?ref=scotthelme.co.uk ) set on their EPrints servers?

What do you have as the settings for these?

Since we have an HSTS / HTTPS-only site, I am considering adding the following as the referrer-policy: no-referrer-when-downgrade. I wonder if that would that would break anything, though?

I have no idea about permission policy, I just know that it’s one of the headers that is required for a higher security score at https://securityheaders.com/

Tomasz
*** Options: https://wiki.eprints.org/w/Eprints-tech_Mailing_List
*** Archive: https://www.eprints.org/tech.php/
*** EPrints community wiki: https://wiki.eprints.org/

References:
- [EP-tech] referrer policy and permission policy (headers)
  - From: Tomasz Neugebauer <Tomasz.Neugebauer@concordia.ca>
- RE: [EP-tech] referrer policy and permission policy (headers)
  - From: Matthew Kerwin <matthew.kerwin@qut.edu.au>

Prev by Date: RE: [EP-tech] referrer policy and permission policy (headers)
Next by Date: Re: [EP-tech] Contributor Roles Taxonomy (CRediT) Plugin for Eprints
Previous by thread: RE: [EP-tech] referrer policy and permission policy (headers)
Next by thread: [EP-tech] {Suspected SPAM} unsubscribe
Index(es):
- Date
- Thread