*SECURITY* imroved TLS security; avoid indexing by search engines (!1954) · Merge requests · unitybase / ubjs

Pavlo Mashliakovskiy requested to merge feat/httpSecurity into master Jan 16, 2025

 - *SECURITY* main application page now contains a rule (header `X-Robots-Tag: noindex, nofollow`) to avoid being indexed by Google.
   Rule can be removed by sets `ubConfig.application.customSettings.visibleForSearchEngines` to `true`
 - *SECURITY* removed `X-XSS-Protection` header from main application page (deprecated by browsers, unsafe)
 - *SECURITY* improvements in generated nginx config for HTTPS:
   - removed support for TLS1.1 (remains TLS1.2 and TLS1.3)
   - use a modern ssl_ciphers set
   - added support for DHE/EDH and Forward Secrecy 
   - (Linux) added generation of DH params file if not exists; on Windows should be generated manually

*SECURITY* imroved TLS security; avoid indexing by search engines

Merge request reports

SECURITY imroved TLS security; avoid indexing by search engines