Adds the following headers as static: X-Content-Type-Options "nosniff" X-XSS-Protection "1; mode=block" append Content-Security-Policy "default-src 'self' https: wss:;" nosniff prevents non-executable mime times from becoming executable. The X-XSS-Protection header will prevent the loading of a page if the browser detects an xss attack. The Content-Security-Policy declares what dynamic resources are allowed to load. Adds the following header as user-setable via the keystone_x_frame_options variable. X-Frame-Options "DENY" By default the X-Frame-Options header denies embedding in an iframe. Change-Id: Iadd3e93bdb7e9d41ae1d027196367448dbce19f1 Partial-Bug: 1717321 (cherry picked from commit 81a28142a065e07f16756b1bc4cfb68a98e0a2e9)tags/16.0.4
@@ -0,0 +1,8 @@ | |||
--- | |||
security: | |||
- | | |||
The following headers were added as additional default (and static) values. | |||
`X-Content-Type-Options nosniff`, `X-XSS-Protection "1; mode=block"`, and | |||
`Content-Security-Policy "default-src 'self' https: wss:;"`. Additionally, | |||
the `X-Frame-Options DENY` header was added, defaulting to DENY. You may | |||
override the header via the `keystone_x_frame_options` variable. |
@@ -12,6 +12,11 @@ Listen {{ keystone_service_port }} | |||
CustomLog /var/log/keystone/ssl_access.log {{ keystone_apache_custom_log_format }} | |||
Options +FollowSymLinks | |||
Header set X-Content-Type-Options "nosniff" | |||
Header set X-XSS-Protection "1; mode=block" | |||
Header set Content-Security-Policy "default-src 'self' https: wss:;" | |||
Header set X-Frame-Options "{{ keystone_x_frame_options | default ('DENY') }}" | |||
{% if keystone_ssl | bool and keystone_service_internaluri_proto == "https" -%} | |||
SSLEngine on | |||
SSLCertificateFile {{ keystone_ssl_cert }} | |||
@@ -75,6 +80,7 @@ Listen {{ keystone_admin_port }} | |||
CustomLog /var/log/keystone/ssl_access.log {{ keystone_apache_custom_log_format }} | |||
Options +FollowSymLinks | |||
{% if keystone_ssl | bool and keystone_service_adminuri_proto == "https" -%} | |||
SSLEngine on | |||
SSLCertificateFile {{ keystone_ssl_cert }} |
@@ -22,6 +22,11 @@ server { | |||
access_log /var/log/nginx/{{ item }}-access.log custom; | |||
error_log /var/log/nginx/{{ item }}-error.log info; | |||
add_header X-Content-Type-Options nosniff; | |||
add_header X-XSS-Protection "1; mode=block"; | |||
add_header Content-Security-Policy "default-src 'self' https: wss:;"; | |||
add_header X-Frame-Options {{ keystone_x_frame_options | default ('DENY') }}; | |||
location / { | |||
try_files $uri @yourapplication; | |||
} |
@@ -87,6 +87,8 @@ keystone_apache_modules: | |||
state: "present" | |||
- name: "proxy_uwsgi" | |||
state: "present" | |||
- name: "headers" | |||
state: "present" | |||
keystone_nginx_conf_path: 'conf.d' | |||
@@ -77,6 +77,8 @@ keystone_apache_modules: | |||
state: "{{ ( keystone_sp != {} ) | ternary('present', 'absent') }}" | |||
- name: "proxy_http" | |||
state: "present" | |||
- name: "headers" | |||
state: "present" | |||
keystone_nginx_conf_path: "sites-available" | |||