chore: Update CSP and HSTS headers for improved security in default pages and error pages

This commit updates the Content-Security-Policy (CSP) and HTTP Strict Transport Security (HSTS) headers to enhance the security of the application. The changes include: - Adding 'frame-ancestors' directive to the CSP header to restrict framing of the application - Setting the 'Strict-Transport-Security' header to enable HSTS with a max-age of 31536000 seconds and includeSubDomains and preload options These changes ensure that the application follows best practices for content security and enforces secure communication over HTTPS.
2026-05-24 09:28:37 +00:00 · 2024-06-27 17:32:03 +01:00 · 2024-06-27 17:32:03 +01:00 · e18c025305
commit e18c025305
parent 13bf3e5049
5 changed files with 36 additions and 11 deletions
--- a/src/common/confs/default-server-http.conf
+++ b/src/common/confs/default-server-http.conf
@ -74,11 +74,16 @@ server {
 						.. nonce_script
 						.. "'; style-src 'nonce-"
 						.. nonce_style
-						.. "'; base-uri 'none'; img-src 'self' data:; font-src 'self' data:; require-trusted-types-for 'script';"
+						.. "'; frame-ancestors 'none'; base-uri 'none'; img-src 'self' data:; font-src 'self' data:; require-trusted-types-for 'script';"

 				-- Remove server header
 				ngx.header["Server"] = nil

+				-- Override HSTS header
+				if ngx.var.scheme == "https" then
+					ngx.header["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains; preload"
+				end
+
 				-- Render template
 				render("index.html", {
 					nonce_style = nonce_style,
--- a/src/common/core/antibot/antibot.lua
+++ b/src/common/core/antibot/antibot.lua
@ -70,6 +70,7 @@ function antibot:header()
 			.. self.ctx.bw.antibot_nonce_script
 			.. "'",
 		["style-src"] = "'self' 'nonce-" .. self.ctx.bw.antibot_nonce_style .. "'",
+		["frame-ancestors"] = "'none'",
 		["require-trusted-types-for"] = "'script'",
 	}
 	if self.session_data.type == "recaptcha" then
--- a/src/common/core/errors/errors.lua
+++ b/src/common/core/errors/errors.lua
@ -89,16 +89,30 @@ function errors:render_template(code)
 	local nonce_script = rand(16)
 	local nonce_style = rand(16)

-	-- Override headers
-	local header = "Content-Security-Policy"
-	if self.variables["CONTENT_SECURITY_POLICY_REPORT_ONLY"] == "yes" then
-		header = header .. "-Report-Only"
-	end
-	ngx.header[header] = "default-src 'none'; form-action 'self'; script-src 'strict-dynamic' 'nonce-"
+	-- Override CSP header
+	--luacheck: ignore 631
+	ngx.header["Content-Security-Policy"] = "default-src 'none'; script-src http: https: 'unsafe-inline' 'strict-dynamic' 'nonce-"
 		.. nonce_script
-		.. "' 'unsafe-inline' http: https:; img-src 'self' data:; style-src 'self' 'nonce-"
+		.. "'; style-src 'nonce-"
 		.. nonce_style
-		.. "'; font-src 'self' data:; base-uri 'self'; require-trusted-types-for 'script';"
+		--luacheck: ignore 631
+		.. "'; frame-ancestors 'none'; base-uri 'none'; img-src 'self' data:; font-src 'self' data:; require-trusted-types-for 'script';"
+
+	-- Remove server header
+	ngx.header["Server"] = nil
+
+	-- Override HSTS header
+	local ssl
+
+	if self.ctx.bw and self.ctx.bw.https_configured == "yes" then
+		ssl = true
+	else
+		ssl = ngx.var.scheme == "https"
+	end
+
+	if ssl then
+		ngx.header["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains; preload"
+	end

 	-- Render template
 	render("error.html", {
--- a/src/common/core/headers/headers.lua
+++ b/src/common/core/headers/headers.lua
@ -80,7 +80,7 @@ end
 function headers:header()
 	-- Override upstream headers if needed
 	local ngx_header = ngx.header
-	local ssl = self.ctx.bw.scheme == "https"
+	local ssl = self.ctx.bw.https_configured == "yes"
 	for variable, header in pairs(self.all_headers) do
 		if
 			ngx_header[header] == nil
--- a/src/common/core/misc/confs/default-server-http/page.conf
+++ b/src/common/core/misc/confs/default-server-http/page.conf
@ -20,13 +20,18 @@ location / {
 			local nonce_style = rand(16)

 			-- Override CSP header
-			ngx.header["Content-Security-Policy"] = "default-src 'none'; form-action 'self'; img-src 'self' data:; style-src 'self' 'nonce-"
+			ngx.header["Content-Security-Policy"] = "default-src 'none'; frame-ancestors 'none'; form-action 'self'; img-src 'self' data:; style-src 'self' 'nonce-"
 				.. nonce_style
 				.. "'; font-src 'self' data:; base-uri 'self'; require-trusted-types-for 'script';"

 			-- Remove server header
 			ngx.header["Server"] = nil

+			-- Override HSTS header
+			if ngx.var.scheme == "https" then
+				ngx.header["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains; preload"
+			end
+
 			-- Render template
 			render("default.html", {
 				nonce_style = nonce_style,