Security best practice

iTop is based on PHP and its content is served by web-server.

This page reference PHP and web-server configuration that will enhance the security of your iTop installation.

You should serve your pages only using the https protocol.

As stated by wikipedia: it protects against man-in-the-middle attacks. The bidirectional encryption of communications between a client and server protects against eavesdropping and tampering of the communication.

While PHP default configuration is quite relevant from a security point of view, it can be enhanced: you should change the default value for those entries:

In order to prevent malicious javascript code to sniff the user's session, you should enable session.cookie_httponly (see php documentation)

you can do so either in your php.ini using session.cookie_httponly = 1, or within apache with php_flag session.cookie_httponly on.

If you use https, you should enable this directive so cookies are only sent over secure connections, see php documentation.

While not as critical as the previous configuration, you can configure those http headers within your web server in order to add extra layer of security. Since this page try to remain simple, the headers mentioned here can often be fine tuned to be even more restrictive.

Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;" env=HTTPS

This tell browsers that it should only be accessed using HTTPS, instead of using HTTP. more informations

Header always set X-Frame-Options "sameorigin"

This indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. MDN documentation.

Header always set X-Content-Type-Options "nosniff"

This allows to opt-out of MIME type sniffing (the MIME types advertised in the Content-Type headers should not be changed), MDN documentation.

This helps to detect and mitigate Cross Site Scripting (XSS) and data injection attacks.

Beware: this header will block any not authorized domain, this make it is more difficult to properly configure. The MDN has an excellent article: Content Security Policy (CSP), you should refer to it in order to perform a proper configuration.

A basic configuration may be

Header set Content-Security-Policy "default-src 'self' www.itophub.io;script-src 'self' www.itophub.io 'unsafe-inline' 'unsafe-eval' blob:; style-src 'self' 'unsafe-inline';img-src  'self' data: blob: www.itophub.io "

But, for example if you make use of recaptcha or other, you will have to allow also “www.google.com” and “www.gstatic.com”:

Header set Content-Security-Policy "default-src 'self' www.itophub.io;script-src 'self' www.google.com www.gstatic.com www.itophub.io 'unsafe-inline' 'unsafe-eval' blob:; style-src 'self' 'unsafe-inline';img-src  'self' data: blob: www.itophub.io "

Regarding the difficulty to maintain a correct configuration, we do not include this header in the example below, but if you feel confortable with extra maintenance, you can add it.

php_flag session.cookie_httponly on
Header always set X-Frame-Options "sameorigin"
Header always set X-Content-Type-Options "nosniff"
 
# only for https:
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;" 
php_flag session.cookie_secure on