Commit message (Collapse) | Author | Age | Files | |
---|---|---|---|---|
* | Webmail: Compress static resources. | Guilhem Moulin | 2020-05-17 | 1 |
| | | | | | | | | | | | We leave dynamic pages (those passed to PHP-FPM) alone for now: compressing them would make us vulnerable to BREACH attacks. This will be revisited once Roundcube 1.5 is released: 1.5 adds support for the same-site cookie attribute which once set to 'Strict' makes it immune to BREACH attacks: https://github.com/roundcube/roundcubemail/pull/6772 https://www.sjoerdlangkemper.nl/2016/11/07/current-state-of-breach-attack/#same-site-cookies | |||
* | Webmail: Fix allowed extensions for static resources. | Guilhem Moulin | 2020-05-17 | 1 |
| | | | | | $ find -L /usr/share/roundcube/{plugins,program/js,program/resources,skins} -xtype f -printf "%f\\n" \ | sed -r "s/^([^.]+)(.*)/\1\2\t\2/" | sort -k2 | uniq -c -f1 | |||
* | Webmail: Improve Content-Security-Policy. | Guilhem Moulin | 2020-05-17 | 1 |
| | ||||
* | Roundcube: Port to Debian 10. | Guilhem Moulin | 2020-05-17 | 1 |
| | | | | | We use the version from buster-backports (currently 1.4.4+dfsg.1-1~bpo10+1) for the elastic theme. | |||
* | Roundcube: improve serving of static resources. | Guilhem Moulin | 2018-12-06 | 1 |
| | | | | | | | | | | | | | | | We only serve whitelisted extensions (css, js, png, etc.), and only for some selected sub-directories. Access to everything else (incl. log files and config files) is denied with a 404. This is unlike upstream's .htaccess file, which blacklists restricted locations and happily serves the rest: https://github.com/roundcube/roundcubemail/blob/master/.htaccess#L8 To find out which extensions exist on the file system, run find -L /var/lib/roundcube/{plugins,program/js,program/resources,skins} -type f \ | sed -n 's/.*\.//p' | sort | uniq -c | |||
* | Upgrade webmail baseline to Debian Stretch. | Guilhem Moulin | 2018-12-03 | 1 |
| | ||||
* | nginx: add support for HTTP/2. | Guilhem Moulin | 2016-12-13 | 1 |
| | ||||
* | nginx: Don't hard-code the HPKP headers. | Guilhem Moulin | 2016-07-12 | 1 |
| | | | | | Instead, lookup the pubkeys and compute the digests on the fly. But never modify the actual header snippet to avoid locking our users out. | |||
* | Roundcube's CSP: remove 'upgrade-insecure-requests' and ↵ | Guilhem Moulin | 2016-04-08 | 1 |
| | | | | 'block-all-mixed-content'. | |||
* | Roundcube's CSP: allow loading images from data: URIs and arbitrary URLs. | Guilhem Moulin | 2016-04-07 | 1 |
| | | | | Per user request: https://wiki.fripost.org/tracker/CSP_too_strict/ | |||
* | Set frame-ancestors from 'none' to 'self' in roundcube's CSP. | Guilhem Moulin | 2016-04-02 | 1 |
| | ||||
* | wibble | Guilhem Moulin | 2016-04-02 | 1 |
| | ||||
* | Set a HPKP on the webmail, website/wiki/git and list manager. | Guilhem Moulin | 2016-04-01 | 1 |
| | ||||
* | Set a CSP on the webmail, website/wiki and list manager. | Guilhem Moulin | 2016-04-01 | 1 |
| | ||||
* | Set HTTP security headers. | Guilhem Moulin | 2016-03-30 | 1 |
| | | | | See https://securityheaders.io . | |||
* | Let's Encrypt | Guilhem Moulin | 2016-03-02 | 1 |
| | ||||
* | Use the Let's Encrypt CA for our public certs. | Guilhem Moulin | 2015-12-20 | 1 |
| | ||||
* | nginx: Move include.d/* to snippets/. | Guilhem Moulin | 2015-12-20 | 1 |
| | ||||
* | nginx: s/conf.d/include.d/ | Guilhem Moulin | 2015-12-15 | 1 |
| | ||||
* | wibble | Guilhem Moulin | 2015-12-09 | 1 |
| | ||||
* | ngnix: mv ssl/config conf.d/ssl | Guilhem Moulin | 2015-12-09 | 1 |
| | ||||
* | Upgrade the webmail configuration from Wheezy to Jessie. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Make Nginx send the intermediate certificate along with the server's. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Generate certs for Dovecot and Nginx if they are not there. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Allow Roundcube to offer JavaScript. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | wibble | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Configure the webmail. | Guilhem Moulin | 2015-06-07 | 1 |