From e51570eab50218a5b33107041e66dc34e0646bd5 Mon Sep 17 00:00:00 2001
From: Martin Trigaux <mat@odoo.com>
Date: Mon, 9 Oct 2023 09:25:56 +0200
Subject: [PATCH] [IMP] administration: add instructions to enable HSTS

closes odoo/documentation#6082

X-original-commit: 6a2725e6043016336f8406ebe46d37bb395b3890
Signed-off-by: Martin Trigaux (mat) <mat@odoo.com>
---
 content/administration/install/deploy.rst | 31 +++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/content/administration/install/deploy.rst b/content/administration/install/deploy.rst
index 14d7093ed..d43e17260 100644
--- a/content/administration/install/deploy.rst
+++ b/content/administration/install/deploy.rst
@@ -345,6 +345,11 @@ in ``/etc/nginx/sites-enabled/odoo.conf`` set:
       proxy_set_header X-Real-IP $remote_addr;
       proxy_redirect off;
       proxy_pass http://odoo;
+
+      # Enable HSTS
+      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
+      # requires nginx 1.19.8
+      proxy_cookie_flags session_id samesite=lax secure;
     }
 
     # common gzip
@@ -352,6 +357,31 @@ in ``/etc/nginx/sites-enabled/odoo.conf`` set:
     gzip on;
   }
 
+HTTPS Hardening
+---------------
+
+Add the `Strict-Transport-Security` header to all requests, in order to prevent
+browsers from ever sending a plain HTTP request to this domain. You will need
+to maintain a working HTTPS service with a valid certificate on this domain at
+all times, otherwise your users will see security alerts or be entirely unable
+to access it.
+
+Force HTTPS connections during a year for every visitor in NGINX with the line:
+
+.. code-block:: nginx
+
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
+
+Additional configuration can be defined for the `session_id` cookie. The `Secure`
+flag can be added to ensure it is never transmitted over HTTP and `SameSite=Lax`
+to prevent authenticated `CSRF`_.
+
+.. code-block:: nginx
+
+  # requires nginx 1.19.8
+  proxy_cookie_flags session_id samesite=lax secure;
+
+
 Odoo as a WSGI Application
 ==========================
 
@@ -727,6 +757,7 @@ Here are the supported browsers:
     environment than over the internet.
 
 .. _regular expression: https://docs.python.org/3/library/re.html
+.. _CSRF: https://en.wikipedia.org/wiki/Cross-site_request_forgery
 .. _ARP spoofing: https://en.wikipedia.org/wiki/ARP_spoofing
 .. _Nginx termination example:
     https://nginx.com/resources/admin-guide/nginx-ssl-termination/