RoundCube
*********

Apache
------

* Do not set :code:`X-Frame-Options` as it's already done by RoundCube itself.
* :file:`.htaccess` are ignored because :code:`AllowOverride All` isn't used, so rules must be defined in the Apache virtualhost configuration.

.. literalinclude:: roundcube_headers.j2
   :caption: roundcube_headers
   :name: roundcube_headers.j2
   :language: apacheconf

.. literalinclude:: roundcube.j2
   :caption: roundcube
   :name: roundcube.j2
   :language: apacheconf


config.inc.php
--------------
https://github.com/roundcube/roundcubemail/issues/9789

.. code-block:: php
   :caption: config.inc.php
   :name: roundcube_config

   $config['session_samesite'] = 'Strict';


robots.txt
----------

.. code-block:: console

  # su - rcube -s /bin/bash
  $ cd ~/public_html
  $ cat << EOF > robots.txt
  User-agent: *
  Disallow: /
  EOF
  $ chmod 644 robots.txt

security.txt
------------

.. code-block:: console

  # su - rcube -s /bin/bash
  $ install -d -m 0755 ~/public_html/.well-known
  $ cd ~/public_html/.well-known
  $ wget -N https://www.cgsecurity.org/.well-known/security.txt
  $ chmod 644 security.txt
  $ cd ~/public_html/public_html/
  $ ln -s ../robots.txt .
  $ ln -s ../.well-known/ .

Audit
-----

.. literalinclude:: roundcube_check.py
   :caption: roundcube_check.py
   :name: roundcube_check-py
   :language: python


.. literalinclude:: roundcube_check.txt
   :caption: roundcube_check.py output
   :name: roundcube_check-txt


:code:`DocumentRoot` points to :file:`PATH/public_html/public_html` instead of :file:`PATH/public_html/`

.. code-block:: console
   :name: roundcube_twa

   $ twa -d mail.cgsecurity.org|grep -v PASS
   MEH(mail.cgsecurity.org): TWA-0206: X-Frame-Options is 'sameorigin', consider 'deny'
   MEH(mail.cgsecurity.org): TWA-0213: Referrer-Policy specifies 'same-origin', consider 'no-referrer'?
   FAIL(mail.cgsecurity.org): TWA-0219: Content-Security-Policy missing
   FAIL(mail.cgsecurity.org): TWA-0220: Feature-Policy missing