Summary
The default stack weakens TLS verification internally and does not enable HSTS by default.
Evidence
configs/manager/configure_notify_push_default.sh:4 uses curl -k.compose.yaml:449 starts notify_push with --allow-self-signed.configs/nginx/conf/nextcloud_default.conf:49 leaves HSTS commented out.
Risk
This normalizes certificate-bypass behavior inside the deployment and weakens transport hardening for a service that carries authenticated sessions and file traffic.
Suggested Remediation
- Make certificate verification strict by default.
- Gate self-signed or insecure transport behavior behind an explicit development/testing flag.
- Document when HSTS should be enabled and consider a secure-by-default production template.
Summary
The default stack weakens TLS verification internally and does not enable HSTS by default.
Evidence
configs/manager/configure_notify_push_default.sh:4usescurl -k.compose.yaml:449startsnotify_pushwith--allow-self-signed.configs/nginx/conf/nextcloud_default.conf:49leaves HSTS commented out.Risk
This normalizes certificate-bypass behavior inside the deployment and weakens transport hardening for a service that carries authenticated sessions and file traffic.
Suggested Remediation