Website
For Stop Tihange one website is in operation. The website is hosted at Cloudflare Pages. The website is active under the hostnames:
- www.stop-tihange.org
- www.anti-akw-ac.de The following hostnames redirect to this site:
- stop-tihange.org > www.stop-tihange.org
- anti-akw-ac.de > www.anti-akw-ac.de
- stop-tihange.eu > www.stop-tihange.org
- www.stop-tihange.eu > www.stop-tihange.org
Cloudflare Pages hosts the website for www.stop-tihange.org. It is created with Hugo and version control is established on github and connected via CI/CD to cloudflare pages. The design is provided via the hugo theme Ananke. For the above named host establish:
- for custom domains for both websites .
- for alle redirect follow this instruction:
stop-tihange.org/* > https://www.stop-tihange.org/$1
anti-akw-ac.de/* > https://www.anti-akw-ac.de/$1
*stop-tihange.eu/* > https://www.stop-tihange.org/$2
Follow the instruction Staging Domain for the domain staging.stop-tihange.org.
Only he staging website ist protected by access management. Users are authenticated by getting a one-time pin via email. For that is not clear who will need to have access, protecting the site in this way, every email could be added to the One-time Pin Provider.
- Add On-time PIN to staging following this documentation for staging environments:
- *.stop-tihange-website.pages.dev and
- staging.stop-tihange.org. All needed emails addresses need to be added to both.
The in Site configuration described security configurations should be set for the following domains:
- stop-tihange.org
- anti-akw-ac.de
- stop-tihange.eu
Security header can’t be set in the demanded ranges of Secuirty Rules because the chosen template uses inline css. The following header needs to be modified:
- Content-Security-Policy from default-src ‘self’; to default-src ‘self’; style-src ‘self’ ‘unsafe-inline’;.
The headers can be activated by adding a file in the hugo folder static with the name _headers. The following headers will be set by the security configuration of cloudflare in each zone. The following header are set globally by cloudflare:
- Strict-Transport-Security
- X-Content-Type-Options
If the integration of web analytics takes place directly via cloudflare pages, the script seems to be passed without the security-relevant hash in the integrity directive.
Sample code for the embedded java script code.
<script defer
src="https://static.cloudflareinsights.com/beacon.min.js/v52afc6f149f6479b8c77fa569edb01181681764108816"
integrity="sha512-jGCTpDpBAYDGNYR5ztKt4BQPGef1P0giN6ZGVUi835kFF88FOmmn8jBQWNgrNd8g/Yu421NdgWhwQoaOPFflDw=="
data-cf-beacon='{
"rayId":"7d5acfd98825cadd",
"version":"2023.4.0",
"r":1,
"token":"350831e1b3de440ba368ef1f0f760fdd","si":100}'
crossorigin="anonymous">
</script>
If web analytics is activated, the domain static.cloudflareinsights.com must be added for scripts in the HTTP response header Content-Security-Policy:
Sample for the CSP
Content-Security-Policy: default-src ‘self’ static.cloudflareinsights.com;
/*
Content-Security-Policy: default-src 'self' static.cloudflareinsights.com; style-src 'self' 'unsafe-inline';
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Access-Control-Allow-Origin : https://www.stop-tihange.org, https://www.anti-akw-ac.de
Referrer-Policy: same-origin
Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), speaker-selection=(), conversion-measurement=(), focus-without-user-activation=(), hid=(), idle-detection=(), interest-cohort=(), serial=(), sync-script=(), trust-token-redemption=(), window-placement=(), vertical-scroll=()
```