openstack/fuel-library
Code Issues Proposed changes

Fix clickjacking attack vulnerability in nginx

Browse Source 
For Fuel web interface and other sites served by nginx on fuel master
we should use X-Frame-Options SAMEORIGIN to prevent from clickjacking,
e.g. the page can only be displayed in a frame on the same
origin as the page itself.

Change-Id: Ie8d6e4e92222ac9bb7c489dd0a5aff833fabe873
Closes-Bug: #1497194
This commit is contained in:
Andrey Bubyr 2015-11-16 15:12:08 +02:00
parent 9a17ca6af1
commit f3bbdb9f48
2 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
deployment/puppet/nailgun/spec/classes/nginx_service_spec.rb Normal file
View File

@ -0,0 +1,7 @@
require 'spec_helper'
describe 'nailgun::nginx-service' do
it 'should contain X-Frame-Options SAMEORIGIN header' do
should contain_file('/etc/nginx/nginx.conf').with_content(/^\s*add_header X-Frame-Options SAMEORIGIN;$/)
end
end

3
deployment/puppet/nailgun/templates/nginx.conf.erb
View File

@ -35,6 +35,9 @@ http {
#prefer server ciphers over client ones #prefer server ciphers over client ones
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
#prevent from clickjacking attacks
add_header X-Frame-Options SAMEORIGIN;
# Load config files from the /etc/nginx/conf.d directory # Load config files from the /etc/nginx/conf.d directory
# The default server is in conf.d/default.conf # The default server is in conf.d/default.conf
include /etc/nginx/conf.d/*.conf; include /etc/nginx/conf.d/*.conf;