[checkmk-commits] 6774 SEC Add Content-Security-Policy header to prevent some cross site scripting and injection attacks

Module: check_mk Branch: master Commit: 9f6161580aa9b5d68da9cce082078f0683dcb933 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=9f6161580aa9b5… Author: Lars Michelsen &lt;lm(a)mathias-kettner.de&gt; Date: Fri Sep 28 09:49:24 2018 +0200 6774 SEC Add Content-Security-Policy header to prevent some cross site scripting and injection attacks When requesting pages from the GUI a <tt>Content-Security-Policy</tt> is now been set in the HTTP response. Using this mechanism the application can tell the browser which things are allowed to be done by the web page in the context of the browser. We are now, for example limiting the URLs where AJAX calls can be made to or the URLs which can be used as form targets. This helps to prevent some XSS and other injection attacks. The configuration of this policy is made in the apache configuration file <tt>etc/apache/conf.d/security.conf</tt>. In case you want to have a look at the details or want to extend the policy somehow you may edit the file in the context of your site configuration. To apply the changes you need to restart your site apache using <tt>omd restart apache</tt>. In case of trouble please let us know. We can probably adapt the default configuration to solve common issues with this policy for all users. One thing that may affect users that include Check_MK pages on other web pages using frames or iframes: We set the <tt>frame-ancestors</tt> option to <tt>'self'</tt> which means that only pages with the same protocol, url and port as the Check_MK page may refer to Check_MK pages. You can extend this statement with the URLs you want to allow. CMK-973 Change-Id: I27cab62a9bcee3cce05b6bef15d4ff4be6e752d9 --- .werks/6774 | 28 ++++++++++++++++ .../skel/etc/apache/conf.d/security.conf | 38 ++++++++++++++++++++++ 2 files changed, 66 insertions(+) diff --git a/.werks/6774 b/.werks/6774 new file mode 100644 index 0000000..e79ac4d --- /dev/null +++ b/.werks/6774 @@ -0,0 +1,28 @@ +Title: Add Content-Security-Policy header to prevent some cross site scripting and injection attacks +Level: 1 +Component: multisite +Compatible: compat +Edition: cre +Version: 1.6.0i1 +Date: 1538120513 +Class: security + +When requesting pages from the GUI a <tt>Content-Security-Policy</tt> is now been set in the HTTP +response. Using this mechanism the application can tell the browser which things are allowed to +be done by the web page in the context of the browser. + +We are now, for example limiting the URLs where AJAX calls can be made to or the URLs which can +be used as form targets. This helps to prevent some XSS and other injection attacks. + +The configuration of this policy is made in the apache configuration file +<tt>etc/apache/conf.d/security.conf</tt>. In case you want to have a look at the details or +want to extend the policy somehow you may edit the file in the context of your site configuration. +To apply the changes you need to restart your site apache using <tt>omd restart apache</tt>. + +In case of trouble please let us know. We can probably adapt the default configuration to solve +common issues with this policy for all users. + +One thing that may affect users that include Check_MK pages on other web pages using frames or +iframes: We set the <tt>frame-ancestors</tt> option to <tt>'self'</tt> which means that only pages +with the same protocol, url and port as the Check_MK page may refer to Check_MK pages. You can +extend this statement with the URLs you want to allow. diff --git a/omd/packages/apache-omd/skel/etc/apache/conf.d/security.conf b/omd/packages/apache-omd/skel/etc/apache/conf.d/security.conf new file mode 100644 index 0000000..7122129 --- /dev/null +++ b/omd/packages/apache-omd/skel/etc/apache/conf.d/security.conf @@ -0,0 +1,38 @@ +# This file contains some common security settings we apply to the site apache +# and the requests to it. Please let us know in case these settings limit you +# in valid use cases. + +# Mitigate the risk of cross-site scripting and other injection attacks. +# +# To make things easier, you can use an online CSP header generator +# such as: https://www.cspisawesome.com/. +# +# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-… +# https://www.w3.org/TR/CSP3/ +# https://content-security-policy.com/ +# https://www.html5rocks.com/en/tutorials/security/content-security-policy/ +# +<IfModule mod_headers.c> + # Default policy for all not configured ones + Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'" + + # Allow AJAX calls to current scheme/url/port and the crash report API + Header always append Content-Security-Policy "connect-src 'self' https://mathias-kettner.de/crash_report.php" + + # Only allow to include the pages served by this site in frames of same URLs + Header always append Content-Security-Policy "frame-ancestors 'self'" + + # <base>-Tag is limited to current scheme/url/port + Header always append Content-Security-Policy "base-uri 'self'" + + # Form submissions are limited to current scheme/url/port + Header always append Content-Security-Policy "form-action 'self'" + + # Disallow plugins like flash or java + Header always append Content-Security-Policy "object-src 'none'" + + # Only set Content-Security-Policy for web pages and not other resources + <FilesMatch "\.(js|css|png|ico|wav|jpg)$"> + Header always unset Content-Security-Policy + </FilesMatch> +</IfModule>