#276: initial work to add default security headers

Badgerati · Mar 12, 2022 · dc1b136 · dc1b136
1 parent ae375f1
commit dc1b136
Show file tree

Hide file tree

Showing 7 changed files with 58 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -11,7 +11,7 @@
 
 > 💝 A lot of my free time, evenings, and weekends goes into making Pode happen; please do consider sponsoring as it will really help! 😊
 
-This is a web template framework for use with the [Pode](https://github.com/Badgerati/Pode) PowerShell web server (v2.5.0+).
+This is a web template framework for use with the [Pode](https://github.com/Badgerati/Pode) PowerShell web server (v2.6.0+).
 
 It allows you to build web pages purely with PowerShell - no HTML, CSS, or JavaScript knowledge required!
 

diff --git a/docs/Getting-Started/Installation.md b/docs/Getting-Started/Installation.md
@@ -6,7 +6,7 @@ Pode.Web is a PowerShell module that works along side [Pode](https://github.com/
 
 Before installing Pode.Web, the minimum requirements must be met:
 
-* Pode v2.5.0+
+* [Pode](https://github.com/Badgerati/Pode) v2.6.0+
 
 Which also includes Pode's minimum requirements:
 * OS:

diff --git a/docs/index.md b/docs/index.md
@@ -7,7 +7,7 @@
 
 > 💝 A lot of my free time, evenings, and weekends goes into making Pode happen; please do consider sponsoring as it will really help! 😊
 
-This is a web template framework for use with the [Pode](https://github.com/Badgerati/Pode) PowerShell web server (v2.5.0+).
+This is a web template framework for use with the [Pode](https://github.com/Badgerati/Pode) PowerShell web server (v2.6.0+).
 
 It allows you to build web pages purely with PowerShell - no HTML, CSS, or JavaScript knowledge required!
 

diff --git a/examples/login-azure-ad.ps1 b/examples/login-azure-ad.ps1
@@ -17,7 +17,7 @@ Start-PodeServer {
     # $scheme = New-PodeAuthAzureADScheme -Tenant $tenantId -ClientId $clientId -ClientSecret $clientSecret -InnerScheme $form
 
     # for OAuth2 grant type = auth_code
-    $scheme = New-PodeAuthAzureADScheme -Tenant $tenantId -ClientId $clientId -ClientSecret $clientSecret
+    $scheme = New-PodeAuthAzureADScheme -Tenant $tenantId -ClientId $clientId -UsePKCE
 
     $scheme | Add-PodeAuth -Name 'AzureAD' -ScriptBlock {
         param($user, $accessToken, $refreshToken)

diff --git a/src/Private/Helpers.ps1 b/src/Private/Helpers.ps1
@@ -891,4 +891,43 @@ function ConvertTo-PodeWebSize
     }
 
     return $Value
+}
+
+function Set-PodeWebSecurity
+{
+    param(
+        [Parameter()]
+        [ValidateSet('None', 'Default', 'Simple', 'Strict')]
+        [string]
+        $Security,
+
+        [switch]
+        $UseHsts
+    )
+
+    if ($Security -ieq 'none') {
+        Remove-PodeSecurity
+        return
+    }
+
+    switch ($Security.ToLowerInvariant()) {
+        'default' {
+            Set-PodeSecurity -Type Simple -UseHsts:$UseHsts
+            Add-PodeSecurityContentSecurityPolicy -Default 'http', 'https'
+            Remove-PodeSecurityCrossOrigin
+        }
+
+        'simple' {
+            Set-PodeSecurity -Type Simple -UseHsts:$UseHsts
+        }
+
+        'strict' {
+            Set-PodeSecurity -Type Strict -UseHsts:$UseHsts
+        }
+    }
+
+    Add-PodeSecurityContentSecurityPolicy `
+        -Style 'self', 'unsafe-inline' `
+        -Scripts 'self', 'unsafe-inline' `
+        -Image 'self', 'data'
 }
diff --git a/src/Public/Utilities.ps1 b/src/Public/Utilities.ps1
@@ -23,16 +23,24 @@ function Use-PodeWebTemplates
         [string[]]
         $EndpointName,
 
+        [Parameter()]
+        [ValidateSet('None', 'Default', 'Simple', 'Strict')]
+        [string]
+        $Security = 'Default',
+
         [switch]
         $NoPageFilter,
 
         [switch]
-        $HideSidebar
+        $HideSidebar,
+
+        [switch]
+        $UseHsts
     )
 
     $mod = (Get-Module -Name Pode -ErrorAction Ignore | Sort-Object -Property Version -Descending | Select-Object -First 1)
-    if (($null -eq $mod) -or ($mod.Version -lt [version]'2.5.0')) {
-        throw "The Pode module is not loaded. You need at least Pode v2.5.0 to use this version of the Pode.Web module."
+    if (($null -eq $mod) -or ($mod.Version -lt [version]'2.6.0')) {
+        throw "The Pode module is not loaded. You need at least Pode v2.6.0 to use this version of the Pode.Web module."
     }
 
     if ([string]::IsNullOrWhiteSpace($FavIcon)) {
@@ -84,6 +92,8 @@ function Use-PodeWebTemplates
             }
         }
     }
+
+    Set-PodeWebSecurity -Security $Security -UseHsts:$UseHsts
 }
 
 function Import-PodeWebStylesheet

diff --git a/src/Templates/Public/scripts/default.js b/src/Templates/Public/scripts/default.js
@@ -118,11 +118,12 @@ function bindFileStreams() {
                     }
                 },
                 error: function(err) {
+                    hideSpinner($(e).closest('div.file-stream'));
+
                     if (err.status == 416) {
                         return;
                     }
 
-                    hideSpinner($(e).closest('div.file-stream'));
                     $(e).attr('pode-streaming', '0');
                     addClass($(e).closest('div.file-stream'), 'stream-error');
                     hide($(e).closest('div.file-stream').find('div.card-header div div.btn-group'));