Document the new config section

Author: hmpf

NOTES.rst

@@ -8,6 +8,22 @@ existing bug reports, go to https://github.com/uninett/nav/issues .
 To see an overview of upcoming release milestones and the issues they resolve,
 please go to https://github.com/uninett/nav/milestones .
 
+NAV 5.9
+=======
+
+Web security
+------------
+
+While it is only relevant for older browsers, the HTTP header
+``X-XSS-Protection`` is set to ``1; mode=block``. It does not affect browsers
+that do not support it after all.
+
+There's a new section in :file:`webfront/webfront.conf`, ``[security]``. When
+running in production with SSL/TLS turned on, there's a new flag ``needs_tls``
+that should also be toggled on. This'll turn on secure cookies (only sent over
+SSL/TLS). See also the new howto
+:doc:`Securing NAV in production </howto/securing-nav-in-production>`.
+
 NAV 5.8
 =======
 

doc/howto/index.rst

@@ -19,3 +19,4 @@ Howtos
    setting-up-logging
    using_the_api
    api_parameters
+   securing-nav-in-production

doc/howto/securing-nav-in-production.rst

@@ -0,0 +1,26 @@
+==========================
+Securing NAV in production
+==========================
+
+Overview
+========
+
+The default configuration of NAV is set up to work well during development, but
+needs to be tightened when running in production.
+
+NAV consists of pages controlled by NAV itself, and pages served directly by
+the web server. Security features for NAV's own pages are controlled via the
+``[security]``-section in the file :file:`webfront/webfront.conf`, while
+security for the other pages are controlled directly by the web server.
+
+
+SSL/TLS
+=======
+
+This needs to be turned on in the webserver itself. While there is no reason to
+serve any of NAV without SSL/TLS turned off, it is especially important for the
+pages controlled by NAV.
+
+When the server serves NAV with SSL/TLS, ensure that the ``needs_tls``-flag in
+the ``[security]``-section is set to ``yes``. This explicitly turns on secure
+cookies, which is dependent on SSL being in use.