Mercurial > hg > nginx-site
annotate xml/en/docs/njs/security.xml @ 2984:cc475ba7d406
Added Preload Objects article in njs.
author | Yaroslav Zhuravlev <yar@nginx.com> |
---|---|
date | Thu, 01 Jun 2023 17:12:18 +0100 |
parents | bd8482c5a7fe |
children |
rev | line source |
---|---|
2924
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
1 <?xml version="1.0"?> |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
2 |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
3 <!-- |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
4 Copyright (C) Nginx, Inc. |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
5 --> |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
6 |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
7 <!DOCTYPE article SYSTEM "../../../../dtd/article.dtd"> |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
8 |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
9 <article name="Security" |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
10 link="/en/docs/njs/security.html" |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
11 lang="en" |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
12 rev="1" |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
13 toc="no"> |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
14 |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
15 <section> |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
16 |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
17 <para> |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
18 All njs security issues should be reported to |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
19 <literal>security-alert@nginx.org</literal>. |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
20 </para> |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
21 |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
22 <para> |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
23 Patches are signed using one of the |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
24 <link doc="../../pgp_keys.xml">PGP public keys</link>. |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
25 </para> |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
26 |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
27 </section> |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
28 |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
29 |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
30 <section id="considerations" name="Special considerations"> |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
31 |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
32 <para> |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
33 njs does not evaluate dynamic code |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
34 and especially the code received from the network in any way. |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
35 The only way to evaluate that code using njs |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
36 is to configure the |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
37 <link doc="../http/ngx_http_js_module.xml" id="js_import">js_import</link> |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
38 directive in nginx. |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
39 JavaScript code is loaded once during nginx start. |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
40 </para> |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
41 |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
42 <para> |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
43 In nginx/njs threat model, JavaScript code is considered a trusted source |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
44 in the same way as <literal>nginx.conf</literal> and sites certificates. |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
45 What this means in practice: |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
46 |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
47 <list type="bullet"> |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
48 |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
49 <listitem> |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
50 memory disclosure and other security issues |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
51 triggered by JavaScript code modification |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
52 are not considered security issues, but as ordinary bugs |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
53 </listitem> |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
54 |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
55 <listitem> |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
56 measures should be taking for protecting JavaScript code used by njs |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
57 </listitem> |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
58 |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
59 <listitem> |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
60 if no <link doc="../http/ngx_http_js_module.xml" id="js_import">js_import</link> |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
61 directives are present in <literal>nginx.conf</literal>, |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
62 nginx is safe from JavaScript-related vulnerabilities |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
63 </listitem> |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
64 |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
65 </list> |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
66 </para> |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
67 |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
68 </section> |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
69 |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
70 |
bd8482c5a7fe
Added "Security" section in njs.
Yaroslav Zhuravlev <yar@nginx.com>
parents:
diff
changeset
|
71 </article> |