Elgato_dark/bunkerweb
1
0
Fork 0
mirror of https://github.com/bunkerity/bunkerweb synced 2026-05-24 09:28:37 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

refactor: Update Content-Security-Policy and security headers in UI code

Browse source
This commit is contained in:
Théophile Diot 2024-07-24 11:39:04 +01:00
parent 1d850cbd76
commit aa6c488041
No known key found for this signature in database
GPG key ID: FA995104A0BA376A
2 changed files with 22 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
src/common/core/ui/confs/default-server-http/ui.conf
View file

@ -36,19 +36,11 @@ location /setup/check {
add_header 'Access-Control-Allow-Methods' 'GET' always;
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range' always;
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always;
default_type 'text/plain';
default_type 'text/plain; charset=utf-8';
content_by_lua_block {
-- Override CSP header
ngx.header["Content-Security-Policy"] = "default-src 'none'; img-src 'self'; require-trusted-types-for 'script';"
-- Remove server header
ngx.header["Server"] = nil
-- Override HSTS header
if ngx.var.scheme == "https" then
ngx.header["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains; preload"
end
local logger = require "bunkerweb.logger":new("UI")
local args, err = ngx.req.get_uri_args(1)
if err == "truncated" or not args["server_name"] or args["server_name"] == "" then

23
src/ui/main.py
View file

@ -405,8 +405,9 @@ def inject_variables():
@app.after_request
def set_csp_header(response):
"""Set the Content-Security-Policy header to prevent XSS attacks."""
def set_security_headers(response):
"""Set the security headers."""
# * Content-Security-Policy header to prevent XSS attacks
response.headers["Content-Security-Policy"] = (
"object-src 'none';"
+ " frame-ancestors 'self';"
@ -416,9 +417,26 @@ def set_csp_header(response):
+ " img-src 'self' data: https://assets.bunkerity.com;"
+ " font-src 'self' data:;"
+ " base-uri 'self';"
+ " block-all-mixed-content;"
+ (" connect-src *;" if request.path.startswith(("/check", "/setup")) else "")
)
if request.headers.get("X-Forwarded-Proto") == "https":
if not request.path.startswith("/setup/loading"):
response.headers["Content-Security-Policy"] += " upgrade-insecure-requests;"
# * Strict-Transport-Security header to force HTTPS if accessed via a reverse proxy
response.headers["Strict-Transport-Security"] = "max-age=63072000; includeSubDomains; preload"
# * X-Frames-Options header to prevent clickjacking
response.headers["X-Frame-Options"] = "DENY"
# * X-Content-Type-Options header to prevent MIME sniffing
response.headers["X-Content-Type-Options"] = "nosniff"
# * Referrer-Policy header to prevent leaking of sensitive data
response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"
return response
@ -617,6 +635,7 @@ def setup():
"REVERSE_PROXY_URL": request.form["ui_url"] or "/",
"INTERCEPTED_ERROR_CODES": "400 404 405 413 429 500 501 502 503 504",
"MAX_CLIENT_SIZE": "50m",
"KEEP_UPSTREAM_HEADERS": "Content-Security-Policy Strict-Transport-Security X-Frame-Options X-Content-Type-Options Referrer-Policy",
}
if request.form.get("auto_lets_encrypt", "no") == "yes":