Add "profile" setting to help default security settings

Description

Add "profile" property to server.json with these possible values:

  • development - dev settings, insecure

  • production - secure settings

  • none - No lockdown at all provided (use for custom control)

If a profile is not set, use these rules for the default value:

  • If there is an env var called "environment", use it to set the default profile

  • If the site is bound on localhost, default the profile to "development"

  • If neither of the above are true, the default profile is "production"

When profile is set to "production", default the following:

  • web.directoryListing = false

  • web.blockCFAdmin = external

  • web.blockConfigPaths = true

When profile is set to "development", default the following:

  • web.directoryListing = true

  • web.blockCFAdmin = false

  • web.blockConfigPaths = true

When profile is set to "none", default the following:

  • web.directoryListing = true

  • web.blockCFAdmin = false

  • web.blockConfigPaths = false

Assignee

Brad Wood

Reporter

Brad Wood

Labels

None

Affects versions

None

Fix versions

Priority

Major
Configure