More hardening

Signed-off-by: Tommy <contact@tommytran.io>

README.md

@@ -14,7 +14,8 @@ Matrix Synapse Docker-Compose
    - Enable `encryption_enabled_by_default_for_room_type` by default
    - Edit whatever else you might want to
 4. Copy config.sample.json from https://github.com/vector-im/element-web to `./element/config.json` and make the approriate adjustments
+5. Tighten the Content Security Policy in `swag/nginx/ssl.conf` to suit your needs
 5. Copy the config from https://github.com/matrix-org/pantalaimon to `./pantalaimon/pantalaimon.conf` and edit it accordingly
 6. Run `docker-compose up` and make sure nothing errors out. You can use `docker-compose up -d` to start it in the background if you want.
 7. Create a user for mjolnir
-8. Copy the config from https://github.com/matrix-org/mjolnir/blob/main/config/default.yaml to `./mjolnir/config/production.yaml` and edit it accordingly. If you want Mjolnir to recieve reports instead of Synapse, make it listen on `0.0.0.0:8081`. You will also need to uncomment the approprieate lines in `./swag/nginx/proxy-confs/synapse.subdomain.conf` as well.
+8. Copy the config from https://github.com/matrix-org/mjolnir/blob/main/config/default.yaml to `./mjolnir/config/production.yaml` and edit it accordingly. If you want Mjolnir to recieve reports instead of Synapse, make it listen on `0.0.0.0:8081`. You will also need to uncomment the approprieate lines in `./swag/nginx/proxy-confs/synapse.subdomain.conf` as well.

docker-compose.yml

@@ -58,9 +58,10 @@ services:
     restart: unless-stopped
     container_name: element
     volumes:
-      - ./element-config.json:/app/config.json:Z
+      - ./element/config.json:/app/config.json:Z
     networks:
       - matrix
+    read_only: true
     security_opt:
       - no-new-privileges:true
     cap_drop:
@@ -69,6 +70,9 @@ services:
       - CHOWN
       - SETGID
       - SETUID
+    tmpfs:
+      - /var/run:size=50M,mode=0770,noexec,nosuid,nodev
+      - /var/cache/nginx:size=50M,mode=0770,noexec,nosuid,nodev
 
   swag:
     image: ghcr.io/linuxserver/swag
@@ -103,6 +107,7 @@ services:
       - synapse
     networks:
       - matrix
+    read_only: true
     security_opt:
       - no-new-privileges:true
     cap_drop:
@@ -118,6 +123,7 @@ services:
       - pantalaimon
     networks:
       - matrix
+    read_only: true
     security_opt:
       - no-new-privileges:true
     cap_drop:

swag/nginx/ssl.conf

@@ -37,8 +37,8 @@ add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; prelo
 
 # Optional additional headers
 #add_header Cache-Control "no-transform" always;
-add_header Content-Security-Policy "upgrade-insecure-requests; block-all-mixed-content; form-action 'none'; frame-ancestors 'none'" always;
-add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), clipboard-write=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
+add_header Content-Security-Policy "default-src 'none'; connect-src * https:; font-src 'self'; img-src * https: data:; manifest-src 'self'; media-src 'self'; script-src * https:; style-src 'self' 'unsafe-inline'; frame-src https://www.recaptcha.net; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'";
+add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()";
 add_header Referrer-Policy "same-origin" always;
 add_header X-Content-Type-Options "nosniff" always;
 #add_header X-UA-Compatible "IE=Edge" always;