Browse Source

Add security headers to web accessable services.

Adds the following headers as static:

    X-Content-Type-Options "nosniff"
    X-XSS-Protection "1; mode=block"
    append Content-Security-Policy "default-src 'self' https: wss:;"

nosniff prevents non-executable mime times from becoming executable.
The X-XSS-Protection header will prevent the loading of a page if the
browser detects an xss attack.  The Content-Security-Policy declares
what dynamic resources are allowed to load.

Adds the following header as user-setable via the
keystone_x_frame_options variable.

    X-Frame-Options "DENY"

By default the X-Frame-Options header denies embedding in an iframe.

Change-Id: Iadd3e93bdb7e9d41ae1d027196367448dbce19f1
Partial-Bug: 1717321
tags/17.0.0.0b2
Matthew Thode 2 years ago
parent
commit
81a28142a0
5 changed files with 23 additions and 0 deletions
  1. +8
    -0
      releasenotes/notes/add-security-headers-e46c205b42b9598b.yaml
  2. +6
    -0
      templates/keystone-httpd.conf.j2
  3. +5
    -0
      templates/keystone_nginx.conf.j2
  4. +2
    -0
      vars/suse-42.yml
  5. +2
    -0
      vars/ubuntu-16.04.yml

+ 8
- 0
releasenotes/notes/add-security-headers-e46c205b42b9598b.yaml View File

@@ -0,0 +1,8 @@
---
security:
- |
The following headers were added as additional default (and static) values.
`X-Content-Type-Options nosniff`, `X-XSS-Protection "1; mode=block"`, and
`Content-Security-Policy "default-src 'self' https: wss:;"`. Additionally,
the `X-Frame-Options DENY` header was added, defaulting to DENY. You may
override the header via the `keystone_x_frame_options` variable.

+ 6
- 0
templates/keystone-httpd.conf.j2 View File

@@ -12,6 +12,11 @@ Listen {{ keystone_service_port }}
CustomLog /var/log/keystone/ssl_access.log {{ keystone_apache_custom_log_format }}
Options +FollowSymLinks

Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set Content-Security-Policy "default-src 'self' https: wss:;"
Header set X-Frame-Options "{{ keystone_x_frame_options | default ('DENY') }}"

{% if keystone_ssl | bool and keystone_service_internaluri_proto == "https" -%}
SSLEngine on
SSLCertificateFile {{ keystone_ssl_cert }}
@@ -75,6 +80,7 @@ Listen {{ keystone_admin_port }}
CustomLog /var/log/keystone/ssl_access.log {{ keystone_apache_custom_log_format }}
Options +FollowSymLinks


{% if keystone_ssl | bool and keystone_service_adminuri_proto == "https" -%}
SSLEngine on
SSLCertificateFile {{ keystone_ssl_cert }}

+ 5
- 0
templates/keystone_nginx.conf.j2 View File

@@ -22,6 +22,11 @@ server {
access_log /var/log/nginx/{{ item }}-access.log custom;
error_log /var/log/nginx/{{ item }}-error.log info;

add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "default-src 'self' https: wss:;";
add_header X-Frame-Options {{ keystone_x_frame_options | default ('DENY') }};

location / {
try_files $uri @yourapplication;
}

+ 2
- 0
vars/suse-42.yml View File

@@ -87,6 +87,8 @@ keystone_apache_modules:
state: "present"
- name: "proxy_uwsgi"
state: "present"
- name: "headers"
state: "present"

keystone_nginx_conf_path: 'conf.d'


+ 2
- 0
vars/ubuntu-16.04.yml View File

@@ -77,6 +77,8 @@ keystone_apache_modules:
state: "{{ ( keystone_sp != {} ) | ternary('present', 'absent') }}"
- name: "proxy_http"
state: "present"
- name: "headers"
state: "present"

keystone_nginx_conf_path: "sites-available"


Loading…
Cancel
Save