From f3bbdb9f48bbbe105fce430ed457fb353a95db9a Mon Sep 17 00:00:00 2001 From: Andrey Bubyr Date: Mon, 16 Nov 2015 15:12:08 +0200 Subject: [PATCH] Fix clickjacking attack vulnerability in nginx For Fuel web interface and other sites served by nginx on fuel master we should use X-Frame-Options SAMEORIGIN to prevent from clickjacking, e.g. the page can only be displayed in a frame on the same origin as the page itself. Change-Id: Ie8d6e4e92222ac9bb7c489dd0a5aff833fabe873 Closes-Bug: #1497194 --- .../puppet/nailgun/spec/classes/nginx_service_spec.rb | 7 +++++++ deployment/puppet/nailgun/templates/nginx.conf.erb | 3 +++ 2 files changed, 10 insertions(+) create mode 100644 deployment/puppet/nailgun/spec/classes/nginx_service_spec.rb diff --git a/deployment/puppet/nailgun/spec/classes/nginx_service_spec.rb b/deployment/puppet/nailgun/spec/classes/nginx_service_spec.rb new file mode 100644 index 0000000000..e274c89a98 --- /dev/null +++ b/deployment/puppet/nailgun/spec/classes/nginx_service_spec.rb @@ -0,0 +1,7 @@ +require 'spec_helper' + +describe 'nailgun::nginx-service' do + it 'should contain X-Frame-Options SAMEORIGIN header' do + should contain_file('/etc/nginx/nginx.conf').with_content(/^\s*add_header X-Frame-Options SAMEORIGIN;$/) + end +end diff --git a/deployment/puppet/nailgun/templates/nginx.conf.erb b/deployment/puppet/nailgun/templates/nginx.conf.erb index 85375e61ee..546136ff51 100644 --- a/deployment/puppet/nailgun/templates/nginx.conf.erb +++ b/deployment/puppet/nailgun/templates/nginx.conf.erb @@ -35,6 +35,9 @@ http { #prefer server ciphers over client ones ssl_prefer_server_ciphers on; + #prevent from clickjacking attacks + add_header X-Frame-Options SAMEORIGIN; + # Load config files from the /etc/nginx/conf.d directory # The default server is in conf.d/default.conf include /etc/nginx/conf.d/*.conf;