Skip to content

Help

Reminder to all repository users: Please do not add , commit and push any data files to your remote git repositories. The disk space the Git server is limited, it wasn't dimensioned to host anything else than code. Solely your code files need versioning. The data inputs/outputs don't. A good idea is to do "git add" individually on each file you want to commit, to avoid versioning unwanted content.

Security

Resources

Mozilla’s HTTP Observatory CLI and the Qualys SSL Labs Server Test are good resources for finding potential problems and ensuring compliance with security best practices.

Including external resources

External fonts, CSS, and JavaScript should never be used with the exception of Google Analytics and Piwik - and only when the instance has enabled it. Assets should always be hosted and served locally from the GitLab instance. Embedded resources via iframes should never be used except in certain circumstances such as with ReCaptcha, which cannot be used without an iframe.

Avoiding inline scripts and styles

In order to protect users from XSS vulnerabilities, we will disable inline scripts in the future using Content Security Policy.

While inline scripts can be useful, they're also a security concern. If user-supplied content is unintentionally left un-sanitized, malicious users can inject scripts into the web app.

Inline styles should be avoided in almost all cases, they should only be used when no alternatives can be found. This allows reusability of styles as well as readability.