Mercurial > hg > nginx-site
annotate xml/en/docs/njs/security.xml @ 2935:918ec12be507
njs-0.7.10.
| author | Yaroslav Zhuravlev <yar@nginx.com> |
|---|---|
| date | Tue, 07 Feb 2023 17:42:18 +0000 |
| parents | bd8482c5a7fe |
| children |
| rev | line source |
|---|---|
|
2924
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
1 <?xml version="1.0"?> |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
2 |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
3 <!-- |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
4 Copyright (C) Nginx, Inc. |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
5 --> |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
6 |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
7 <!DOCTYPE article SYSTEM "../../../../dtd/article.dtd"> |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
8 |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
9 <article name="Security" |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
10 link="/en/docs/njs/security.html" |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
11 lang="en" |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
12 rev="1" |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
13 toc="no"> |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
14 |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
15 <section> |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
16 |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
17 <para> |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
18 All njs security issues should be reported to |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
19 <literal>security-alert@nginx.org</literal>. |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
20 </para> |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
21 |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
22 <para> |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
23 Patches are signed using one of the |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
24 <link doc="../../pgp_keys.xml">PGP public keys</link>. |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
25 </para> |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
26 |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
27 </section> |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
28 |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
29 |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
30 <section id="considerations" name="Special considerations"> |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
31 |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
32 <para> |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
33 njs does not evaluate dynamic code |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
34 and especially the code received from the network in any way. |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
35 The only way to evaluate that code using njs |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
36 is to configure the |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
37 <link doc="../http/ngx_http_js_module.xml" id="js_import">js_import</link> |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
38 directive in nginx. |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
39 JavaScript code is loaded once during nginx start. |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
40 </para> |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
41 |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
42 <para> |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
43 In nginx/njs threat model, JavaScript code is considered a trusted source |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
44 in the same way as <literal>nginx.conf</literal> and sites certificates. |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
45 What this means in practice: |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
46 |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
47 <list type="bullet"> |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
48 |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
49 <listitem> |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
50 memory disclosure and other security issues |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
51 triggered by JavaScript code modification |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
52 are not considered security issues, but as ordinary bugs |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
53 </listitem> |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
54 |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
55 <listitem> |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
56 measures should be taking for protecting JavaScript code used by njs |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
57 </listitem> |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
58 |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
59 <listitem> |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
60 if no <link doc="../http/ngx_http_js_module.xml" id="js_import">js_import</link> |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
61 directives are present in <literal>nginx.conf</literal>, |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
62 nginx is safe from JavaScript-related vulnerabilities |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
63 </listitem> |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
64 |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
65 </list> |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
66 </para> |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
67 |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
68 </section> |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
69 |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
70 |
|
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
71 </article> |