document security headers in .htaccess

2024-11-26 07:22:11 +00:00 · 2021-03-10 12:11:52 +01:00 · 2021-03-10 12:11:52 +01:00 · 612567f0de
commit 612567f0de
parent 06df2f544c
2 changed files with 14 additions and 0 deletions
--- a/1
+++ b/1
@ -17,6 +17,7 @@
 - fix security hole which allowed under certain conditions to access
  arbitrary files
 - use mandatory reviewers/approvers when adding files by webdav
+- set some http security headers in .htaccess

 --------------------------------------------------------------------------------
                     Changes in version 5.1.21
--- a/doc/README.Install.md
+++ b/doc/README.Install.md
@ -80,6 +80,19 @@ http://your-domain/ or http://your-domain/seeddms51x.
 SECURITY CONSIDERATIONS
 =======================

+First of all you should always access your SeedDMS installation through
+a secured https connection, unless you know precisly what are you doing.
+SeedDMS ships an .htaccess file which already has some common security
+http headers set. In order for them to apply you need to activate the
+headers module. On Debian this can be done with
+
+```
+a2enmod headers
+```
+
+Protect directories with data or configuration
+---------------------------------------------
+
 A crucial point when setting up SeedDMS is the propper placement of the
 data directory. Do not place it below your document root as
 configured in your web server! If you do so, there is good change that