diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..133723221 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,19 @@ +# Security Policy + +## Supported Versions + +Considering the amount of resources necessary to backport security or bug fixes to previous, unsupported CryptPad versions, it's not something we do. +However, we quickly release new minor versions in case of need. + +Please keep up with the latest release published here: https://github.com/cryptpad/cryptpad/releases + +Note that every GitHub release page has an RSS compatible feed that you can subscribe on to be informed of every new release. + +We do also communicate about this topic on: +- [Our blog](https://blog.cryptpad.org) +- [Our Matrix public space](https://matrix.to/#/#cryptpad:matrix.xwiki.com) +- [Our Mastodon account](https://fosstodon.org/@cryptpad) + +## Reporting a Vulnerability + +Vulnerabilities can be reported using the GitHub Security interface. You can also send us an email at security@cryptpad.org diff --git a/docs/cryptpad.service b/docs/cryptpad.service index efd06e488..8565e1f8e 100644 --- a/docs/cryptpad.service +++ b/docs/cryptpad.service @@ -14,6 +14,10 @@ Restart=always # Restart service after 10 seconds if node service crashes RestartSec=2 +# Proper logging to journald +StandardOutput=journal +StandardError=journal+console + User=cryptpad Group=cryptpad # modify to match your working directory diff --git a/docs/example.httpd.conf b/docs/example.httpd.conf new file mode 100644 index 000000000..d8b0d8d00 --- /dev/null +++ b/docs/example.httpd.conf @@ -0,0 +1,35 @@ +# This file is included strictly as an example of how Apache httpd can be +# configured to work with CryptPad. If you are using CryptPad in production +# and require professional support please contact sales@cryptpad.fr + +# This configuration requires mod_ssl, mod_socache_shmcb, mod_proxy, +# mod_proxy_http and mod_headers + +Listen 443 + +SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 +SSLProxyCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 +SSLHonorCipherOrder off +SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 +SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1 +SSLSessionCache "shmcb:logs/ssl_scache(512000)" +SSLSessionCacheTimeout 86400 +SSLSessionTickets off +SSLUseStapling on +SSLStaplingCache "shmcb:logs/ssl_stapling(32768)" + + + ServerName cryptpad.your-domain.com + ServerAlias sandbox.your-domain.com + Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains" + SSLEngine on + SSLCertificateFile /etc/letsencrypt/live/your-domain.com/cert.pem + SSLCertificateKeyFile /etc/letsencrypt/live/your-domain.com/privkey.pem + BrowserMatch "MSIE [2-5]" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + Protocols h2 http/1.1 + LimitRequestBody 157286400 + ProxyPass / http://localhost:3000/ upgrade=websocket + ProxyPassReverse / http://localhost:3000/ +