Add security headers to web accessable services.
Adds the following headers as static:
X-Content-Type-Options "nosniff"
X-XSS-Protection "1; mode=block"
append Content-Security-Policy "default-src 'self' https: wss:;"
nosniff prevents non-executable mime times from becoming executable.
The X-XSS-Protection header will prevent the loading of a page if the
browser detects an xss attack. The Content-Security-Policy declares
what dynamic resources are allowed to load.
Adds the following header as user-setable via the
keystone_x_frame_options variable.
X-Frame-Options "DENY"
By default the X-Frame-Options header denies embedding in an iframe.
Change-Id: Iadd3e93bdb7e9d41ae1d027196367448dbce19f1
Partial-Bug: 1717321
(cherry picked from commit 81a28142a0
)
This commit is contained in:
parent
ad5e571e48
commit
bb64d2bd43
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
security:
|
||||
- |
|
||||
The following headers were added as additional default (and static) values.
|
||||
`X-Content-Type-Options nosniff`, `X-XSS-Protection "1; mode=block"`, and
|
||||
`Content-Security-Policy "default-src 'self' https: wss:;"`. Additionally,
|
||||
the `X-Frame-Options DENY` header was added, defaulting to DENY. You may
|
||||
override the header via the `keystone_x_frame_options` variable.
|
|
@ -12,6 +12,11 @@ Listen {{ keystone_service_port }}
|
|||
CustomLog /var/log/keystone/ssl_access.log {{ keystone_apache_custom_log_format }}
|
||||
Options +FollowSymLinks
|
||||
|
||||
Header set X-Content-Type-Options "nosniff"
|
||||
Header set X-XSS-Protection "1; mode=block"
|
||||
Header set Content-Security-Policy "default-src 'self' https: wss:;"
|
||||
Header set X-Frame-Options "{{ keystone_x_frame_options | default ('DENY') }}"
|
||||
|
||||
{% if keystone_ssl | bool and keystone_service_internaluri_proto == "https" -%}
|
||||
SSLEngine on
|
||||
SSLCertificateFile {{ keystone_ssl_cert }}
|
||||
|
@ -75,6 +80,7 @@ Listen {{ keystone_admin_port }}
|
|||
CustomLog /var/log/keystone/ssl_access.log {{ keystone_apache_custom_log_format }}
|
||||
Options +FollowSymLinks
|
||||
|
||||
|
||||
{% if keystone_ssl | bool and keystone_service_adminuri_proto == "https" -%}
|
||||
SSLEngine on
|
||||
SSLCertificateFile {{ keystone_ssl_cert }}
|
||||
|
|
|
@ -22,6 +22,11 @@ server {
|
|||
access_log /var/log/nginx/{{ item }}-access.log custom;
|
||||
error_log /var/log/nginx/{{ item }}-error.log info;
|
||||
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
add_header Content-Security-Policy "default-src 'self' https: wss:;";
|
||||
add_header X-Frame-Options {{ keystone_x_frame_options | default ('DENY') }};
|
||||
|
||||
location / {
|
||||
try_files $uri @yourapplication;
|
||||
}
|
||||
|
|
|
@ -87,6 +87,8 @@ keystone_apache_modules:
|
|||
state: "present"
|
||||
- name: "proxy_uwsgi"
|
||||
state: "present"
|
||||
- name: "headers"
|
||||
state: "present"
|
||||
|
||||
keystone_nginx_conf_path: 'conf.d'
|
||||
|
||||
|
|
|
@ -77,6 +77,8 @@ keystone_apache_modules:
|
|||
state: "{{ ( keystone_sp != {} ) | ternary('present', 'absent') }}"
|
||||
- name: "proxy_http"
|
||||
state: "present"
|
||||
- name: "headers"
|
||||
state: "present"
|
||||
|
||||
keystone_nginx_conf_path: "sites-available"
|
||||
|
||||
|
|
Loading…
Reference in New Issue