openstack/openstack-helm-infra
Code Issues Proposed changes

Nagios – API Handling – HTTP Security Headers Not Present

Browse Source 
Added new X-Content-Type-Options: nosniff header to make sure the browser
does not try to detect a different Content-Type than what is actually
sent (can lead to XSS)

Added new X-Frame-Options: sameorigin header to protect against
drag and drop clickjacking attacks in older browsers

Added new Content-Security-Policy: script-src self for implementation

Added new HTTP Security header X-XSS-Protection:1 mode=block to
sanitize the page, when a XSS attack is detected, the browser will
prevent rendering of the page

Change-Id: Ic79bbb96484a7f1a497c001883783338fd26a47a
This commit is contained in:
RAHUL KHIYANI 2019-08-06 01:41:59 -05:00 committed by Rahul Khiyani
parent 8f749dd061
commit ac65a37b0b
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
nagios/values.yaml
View File

@ -191,6 +191,11 @@ network:
nginx.ingress.kubernetes.io/session-cookie-hash: sha1
nginx.ingress.kubernetes.io/session-cookie-expires: "600"
nginx.ingress.kubernetes.io/session-cookie-max-age: "600"
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "X-Content-Type-Options: 'nosniff'";
more_set_headers "X-Frame-Options: SAMEORIGIN";
more_set_headers "Content-Security-Policy: script-src 'self'";
more_set_headers "X-XSS-Protection: 1; mode=block";
node_port:
enabled: false
port: 30925