From 1379a583525351458d2675d3fc81840eec7f73fe Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sat, 12 Nov 2022 14:50:30 +0100
Subject: [PATCH] Basic hardening

---
 tests/compose/webmail/01_ensure_admin_unreachable.sh |  6 +++---
 webmails/nginx-webmail.conf                          | 11 ++++++++++-
 webmails/php.ini                                     |  3 +++
 3 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/tests/compose/webmail/01_ensure_admin_unreachable.sh b/tests/compose/webmail/01_ensure_admin_unreachable.sh
index c4afc76a..a3864b78 100755
--- a/tests/compose/webmail/01_ensure_admin_unreachable.sh
+++ b/tests/compose/webmail/01_ensure_admin_unreachable.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 
-[[ `curl -I -so /dev/null -w "%{http_code}" http://localhost/` -ne 200 ]] && echo "The default page of rainloop hasn't returned 200!" >>/dev/stderr && exit 1
-[[ `curl -I -so /dev/null -w "%{http_code}" http://localhost/?admin` -ne 403 ]] && echo "The admin of rainloop is not disabled!" >>/dev/stderr && exit 1
+[[ `curl -I -so /dev/null -w "%{http_code}" http://localhost/` -ne 200 ]] && echo "The default page of snappymail hasn't returned 200!" >>/dev/stderr && exit 1
+[[ `curl -I -so /dev/null -w "%{http_code}" http://localhost/?admin` -ne 403 ]] && echo "The admin of snappymail is not disabled!" >>/dev/stderr && exit 1
diff --git a/webmails/nginx-webmail.conf b/webmails/nginx-webmail.conf
index 5e5f8ec3..b1149c49 100644
--- a/webmails/nginx-webmail.conf
+++ b/webmails/nginx-webmail.conf
@@ -16,6 +16,11 @@ server {
 
     # set maximum body size to configured limit
     client_max_body_size {{ MESSAGE_SIZE_LIMIT|int + 8388608 }};
+    fastcgi_hide_header X-Powered-By;
+    add_header X-Download-Options "noopen" always;
+    add_header X-Robots-Tag "none" always;
+    add_header X-Permitted-Cross-Domain-Policies "none" always;
+    add_header Referrer-Policy "no-referrer" always;
 
     location / {
         try_files $uri $uri/ /index.php$args;
@@ -42,10 +47,14 @@ server {
         {% endif %}
     }
 
-    location ~ /\. {
+    location ~ (^|/)\. {
         deny all;
     }
 
+    location ~* ^/(config|temp|logs) {
+       deny all;
+    }
+
     location ^~ /data {
        deny all;
     }
diff --git a/webmails/php.ini b/webmails/php.ini
index af9ce8c5..884dda72 100644
--- a/webmails/php.ini
+++ b/webmails/php.ini
@@ -6,3 +6,6 @@ session.auto_start=Off
 mbstring.func_overload=Off
 file_uploads=On
 error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
+display_errors=Off
+log_errors=On
+zlib.output_compression=Off