Improve a bit the default rules

author: jvoisin 2019-01-16 23:51:26 +0100
committer: jvoisin 2019-01-16 23:51:26 +0100
commit: 50b4a15c27fdcecfb6344469ba7717a38897fa87 (patch)
tree: 65c86d863958d6380a98792509a88a0c0082ad5e
parent: 5a6bdf6836730463b065021713500602b317e2c8 (diff)
1 files changed, 26 insertions, 0 deletions
diff --git a/config/default.rules b/config/default.rules
index f8fb1f8..11d91b9 100644
--- a/config/default.rules
+++ b/config/default.rules
@@ -1,10 +1,36 @@
+# This is the default configuration file for Snuffleupagus (https://snuffleupagus.rtfd.io).
+# It contains "reasonable" defaults that won't break your websites,
+# and a lot of commented directives that you can enable if you want to 
+# have a better protection.
 # Harden the PRNG
 sp.harden_random.enable();
 # Disabled XXE
 sp.disable_xxe.enable();
+# Global configuration variables
+# sp.global.secret_key("YOU _DO_ NEED TO CHANGE THIS WITH SOME RANDOM CHARACTERS.");
+# Globally activate strict mode
+# https://secure.php.net/manual/en/functions.arguments.php#functions.arguments.type-declaration.strict
+# sp.global_strict.enable();
+# Prevent unserialize-related exploits
+# sp.unserialize_hmac.enable();
+# Only allow execution of read-only files. This is a low-hanging fruit that you should enable.
+# sp.readonly_exec.enable();
+# Php has a lot of wrappers, most of them aren't usually useful, you should 
+# only enable the ones you're using.
+# sp.wrappers_whitelist.list("file,php,phar");
+# Prevent sloppy comparisons.
+# sp.sloppy_comparison.enable();
 # use SameSite on session cookie
+# https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery
 sp.cookie.name("PHPSESSID").samesite("lax");
 # Harden the `chmod` function
author	jvoisin	2019-01-16 23:51:26 +0100
committer	jvoisin	2019-01-16 23:51:26 +0100
commit	50b4a15c27fdcecfb6344469ba7717a38897fa87 (patch)
tree	65c86d863958d6380a98792509a88a0c0082ad5e
parent	5a6bdf6836730463b065021713500602b317e2c8 (diff)

diff --git a/config/default.rules b/config/default.rules index f8fb1f8..11d91b9 100644 --- a/config/default.rules +++ b/config/default.rules
@@ -1,10 +1,36 @@
		1	# This is the default configuration file for Snuffleupagus (https://snuffleupagus.rtfd.io).
		2	# It contains "reasonable" defaults that won't break your websites,
		3	# and a lot of commented directives that you can enable if you want to
		4	# have a better protection.
		5
1	# Harden the PRNG	6	# Harden the PRNG
2	sp.harden_random.enable();	7	sp.harden_random.enable();
3		8
4	# Disabled XXE	9	# Disabled XXE
5	sp.disable_xxe.enable();	10	sp.disable_xxe.enable();
6		11
		12	# Global configuration variables
		13	# sp.global.secret_key("YOU _DO_ NEED TO CHANGE THIS WITH SOME RANDOM CHARACTERS.");
		14
		15	# Globally activate strict mode
		16	# https://secure.php.net/manual/en/functions.arguments.php#functions.arguments.type-declaration.strict
		17	# sp.global_strict.enable();
		18
		19	# Prevent unserialize-related exploits
		20	# sp.unserialize_hmac.enable();
		21
		22	# Only allow execution of read-only files. This is a low-hanging fruit that you should enable.
		23	# sp.readonly_exec.enable();
		24
		25	# Php has a lot of wrappers, most of them aren't usually useful, you should
		26	# only enable the ones you're using.
		27	# sp.wrappers_whitelist.list("file,php,phar");
		28
		29	# Prevent sloppy comparisons.
		30	# sp.sloppy_comparison.enable();
		31
7	# use SameSite on session cookie	32	# use SameSite on session cookie
		33	# https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery
8	sp.cookie.name("PHPSESSID").samesite("lax");	34	sp.cookie.name("PHPSESSID").samesite("lax");
9		35
10	# Harden the `chmod` function	36	# Harden the `chmod` function