Elgato_dark/bunkerweb
1
0
Fork 0
mirror of https://github.com/bunkerity/bunkerweb synced 2026-05-24 09:28:37 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

[#1187] Update default server page and loading page to add the CSP header for an hardened security

Browse source
This commit is contained in:
Théophile Diot 2024-05-21 12:53:07 +01:00
parent eb6c407faa
commit 0c8cba4d0f
No known key found for this signature in database
GPG key ID: 248FEA4BAE400D06
4 changed files with 77 additions and 97 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

96
src/bw/loading/index.html
View file

File diff suppressed because one or more lines are too long

39
src/common/confs/default-server-http.conf
View file

@ -36,11 +36,40 @@ server {
{% endif %}
{% if IS_LOADING == "yes" +%}
root /usr/share/bunkerweb/loading;
try_files /index.html =404;
etag off;
add_header Last-Modified "";
server_tokens off;
location / {
etag off;
add_header Last-Modified "";
server_tokens off;
default_type 'text/html';
root /usr/share/bunkerweb/loading;
content_by_lua_block {
local utils = require "bunkerweb.utils"
local rand = utils.rand
local subsystem = ngx.config.subsystem
local template
local render = nil
if subsystem == "http" then
template = require "resty.template"
render = template.render
end
local nonce_style = rand(16)
-- Override CSP header
ngx.header["Content-Security-Policy"] = "default-src 'none'; form-action 'self'; img-src 'self' data:; style-src 'self' 'nonce-"
.. nonce_style
.. "'; font-src 'self' data:; base-uri 'self'; require-trusted-types-for 'script';"
-- Remove server header
ngx.header["Server"] = nil
-- Render template
render("index.html", {
nonce_style = nonce_style
})
}
}
{% endif %}
# include core and plugins default-server configurations

31
src/common/core/misc/confs/default-server-http/page.conf
View file

@ -1,9 +1,36 @@
{% if IS_LOADING != "yes" and DISABLE_DEFAULT_SERVER == "no" +%}
root /usr/share/bunkerweb/core/misc/files;
location / {
try_files /default.html =404;
etag off;
add_header Last-Modified "";
server_tokens off;
default_type 'text/html';
root /usr/share/bunkerweb/core/misc/files;
content_by_lua_block {
local utils = require "bunkerweb.utils"
local rand = utils.rand
local subsystem = ngx.config.subsystem
local template
local render = nil
if subsystem == "http" then
template = require "resty.template"
render = template.render
end
local nonce_style = rand(16)
-- Override CSP header
ngx.header["Content-Security-Policy"] = "default-src 'none'; form-action 'self'; img-src 'self' data:; style-src 'self' 'nonce-"
.. nonce_style
.. "'; font-src 'self' data:; base-uri 'self'; require-trusted-types-for 'script';"
-- Remove server header
ngx.header["Server"] = nil
-- Render template
render("default.html", {
nonce_style = nonce_style,
})
}
}
{% endif %}

8
src/common/core/misc/files/default.html
View file

File diff suppressed because one or more lines are too long