I'll turn off dragon.archlinux.org in 2 weeks unless someone objects. It
used to host our backups, but these have since moved to
Evangelos and me checked if there are any important files left on there,
but we couldn't find any. If someone else wants to check, you'll have
two weeks to speak up. Otherwise I'll null the disks and cancel the
I have enabled Certificate Authority Authorization (RFC 6844) on both our main domains,
archlinux.org and pkgbuild.com. Since we only use letsencrypt to issue certificates, I
have added a CAA record only allowing it to issue SSL certificates. We can easily change
it if needed in the future.
I have also enabled 2FA for hetzner. Since it allows more than one token, the idea is for
each one of us in the devops team to have a separate token. I'm going to send you all an
encrypted email with the recovery key. This key should only be used in the unlikely event
that we have any of our 2FA compromised or we need to login to the account in and emergency.
If we use this recovery key, a new one should be issued and emailed to all the members again.
I have created a token for myself, and I'm going to add another "master" token that I'll add
to the ansible vault. You guys can use this token to login and create another for yourself.
Please add your ansible username to the description, like I have done for my token.
Aaron, since you don't have root access to the ansible repository, I can either give you access or,
if you don't want to handle ansible stuff, I can email separately to you both the recovery key and
the "master" token seed so you can create your own.
Below is a proposal to increase our websecurity for *.archlinux.org
Better security through Content Security Policy and other headers.
Either sending CSP headers via nginx or modifying the web application to
send the correct headers. Configuring via nginx is probably the easiest
way to distribute these changes.
# Which sites
Excluded is security.archlinux.org, which already includes all of the
below headers via flask-talisman.
# Which headers
The HTTP X-XSS-Protection response header is a feature of Internet Explorer,
Chrome and Safari that stops pages from loading when they detect reflected
cross-site scripting (XSS) attacks.
This is mostly superseded by CSP, but still is not harmfull to add.
add_header X-Xss-Protection "1; mode=block" always;
The X-Content-Type-Options response HTTP header is a marker used by the server
to indicate that the MIME types advertised in the Content-Type headers should
not be changed and be followed.
Check bugtracker/archweb if this breaks attachments or other files which are download.
add_header X-Content-Type-Options "nosniff" always;
The X-Frame-Options HTTP response header can be used to indicate whether or not
a browser should be allowed to render a page in a <frame>, <iframe> or <object>
. Sites can use this to avoid clickjacking attacks, by ensuring that their
content is not embedded into other sites.
I don't believe we want to allow embedding our websites.
add_header X-Frame-Options "SAMEORIGIN" always;
The HTTP Content-Security-Policy response header allows web site administrators
to control resources the user agent is allowed to load for a given page. With a
few exceptions, policies mostly involve specifying server origins and script
endpoints. This helps guard against cross-site scripting attacks (XSS).
This might differ a bit per site, Archweb for example requires unsafe-inline /
the same origin and restricted. An example policy would be:
add_header Content-Security-Policy "default-src 'self'; style-src 'self'; font-src 'self'; form-action 'self';"
* inline CSS => archweb/aurweb => use a nonce or rewrite.
* unsafe-eval => this should never be allowed and should be fixed
The following website nicely shows the enabled security headers.
More information about these headers can be found here.
Jelle van der Waa