From eb6d71514a27e4af5953bd07c34f3ee82c2ef463 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Peter=20M=C3=BCller?= Date: Sun, 3 Dec 2017 20:34:02 +0100 Subject: [PATCH] prevent loading resources from external sites MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Make Apache transmit a CSP (Content Security Policy) header for WebUI and Captive Portal contents. This prevents some XSS and content injection attacks, especially in case no transport encryption (Captive Portal!) can be used. Signed-off-by: Peter Müller Signed-off-by: Michael Tremer --- config/httpd/vhosts.d/captive.conf | 1 + config/httpd/vhosts.d/ipfire-interface-ssl.conf | 1 + config/httpd/vhosts.d/ipfire-interface.conf | 1 + 3 files changed, 3 insertions(+) diff --git a/config/httpd/vhosts.d/captive.conf b/config/httpd/vhosts.d/captive.conf index e71a26081e..629fa81802 100644 --- a/config/httpd/vhosts.d/captive.conf +++ b/config/httpd/vhosts.d/captive.conf @@ -10,6 +10,7 @@ Listen 1013 KeepAlive Off Header always set X-Content-Type-Options nosniff + Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'" ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/captive/ Alias /assets/ /srv/web/ipfire/html/captive/assets/ diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf index c5d8ffba9e..b5052dda4a 100644 --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf @@ -21,6 +21,7 @@ SSLCertificateKeyFile /etc/httpd/server-ecdsa.key Header always set X-Content-Type-Options nosniff + Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'" Options ExecCGI diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf index 5c7ddc7197..b709944047 100644 --- a/config/httpd/vhosts.d/ipfire-interface.conf +++ b/config/httpd/vhosts.d/ipfire-interface.conf @@ -7,6 +7,7 @@ RewriteRule .* - [F] Header always set X-Content-Type-Options nosniff + Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'" Options ExecCGI -- 2.39.5