From dc1b13681f46170523227ceee3f6683eb3af99c8 Mon Sep 17 00:00:00 2001 From: Matthew Kelly Date: Sat, 12 Mar 2022 22:27:26 +0000 Subject: [PATCH] #276: initial work to add default security headers --- README.md | 2 +- docs/Getting-Started/Installation.md | 2 +- docs/index.md | 2 +- examples/login-azure-ad.ps1 | 2 +- src/Private/Helpers.ps1 | 39 +++++++++++++++++++++++++ src/Public/Utilities.ps1 | 16 ++++++++-- src/Templates/Public/scripts/default.js | 3 +- 7 files changed, 58 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 5ba429c3..b59fd8c7 100644 --- a/README.md +++ b/README.md @@ -11,7 +11,7 @@ > 💝 A lot of my free time, evenings, and weekends goes into making Pode happen; please do consider sponsoring as it will really help! 😊 -This is a web template framework for use with the [Pode](https://github.com/Badgerati/Pode) PowerShell web server (v2.5.0+). +This is a web template framework for use with the [Pode](https://github.com/Badgerati/Pode) PowerShell web server (v2.6.0+). It allows you to build web pages purely with PowerShell - no HTML, CSS, or JavaScript knowledge required! diff --git a/docs/Getting-Started/Installation.md b/docs/Getting-Started/Installation.md index 085ed634..63c70807 100644 --- a/docs/Getting-Started/Installation.md +++ b/docs/Getting-Started/Installation.md @@ -6,7 +6,7 @@ Pode.Web is a PowerShell module that works along side [Pode](https://github.com/ Before installing Pode.Web, the minimum requirements must be met: -* Pode v2.5.0+ +* [Pode](https://github.com/Badgerati/Pode) v2.6.0+ Which also includes Pode's minimum requirements: * OS: diff --git a/docs/index.md b/docs/index.md index 81cf0550..7101de06 100644 --- a/docs/index.md +++ b/docs/index.md @@ -7,7 +7,7 @@ > 💝 A lot of my free time, evenings, and weekends goes into making Pode happen; please do consider sponsoring as it will really help! 😊 -This is a web template framework for use with the [Pode](https://github.com/Badgerati/Pode) PowerShell web server (v2.5.0+). +This is a web template framework for use with the [Pode](https://github.com/Badgerati/Pode) PowerShell web server (v2.6.0+). It allows you to build web pages purely with PowerShell - no HTML, CSS, or JavaScript knowledge required! diff --git a/examples/login-azure-ad.ps1 b/examples/login-azure-ad.ps1 index 484ec9fe..d2d24971 100644 --- a/examples/login-azure-ad.ps1 +++ b/examples/login-azure-ad.ps1 @@ -17,7 +17,7 @@ Start-PodeServer { # $scheme = New-PodeAuthAzureADScheme -Tenant $tenantId -ClientId $clientId -ClientSecret $clientSecret -InnerScheme $form # for OAuth2 grant type = auth_code - $scheme = New-PodeAuthAzureADScheme -Tenant $tenantId -ClientId $clientId -ClientSecret $clientSecret + $scheme = New-PodeAuthAzureADScheme -Tenant $tenantId -ClientId $clientId -UsePKCE $scheme | Add-PodeAuth -Name 'AzureAD' -ScriptBlock { param($user, $accessToken, $refreshToken) diff --git a/src/Private/Helpers.ps1 b/src/Private/Helpers.ps1 index 81489620..6c23e7be 100644 --- a/src/Private/Helpers.ps1 +++ b/src/Private/Helpers.ps1 @@ -891,4 +891,43 @@ function ConvertTo-PodeWebSize } return $Value +} + +function Set-PodeWebSecurity +{ + param( + [Parameter()] + [ValidateSet('None', 'Default', 'Simple', 'Strict')] + [string] + $Security, + + [switch] + $UseHsts + ) + + if ($Security -ieq 'none') { + Remove-PodeSecurity + return + } + + switch ($Security.ToLowerInvariant()) { + 'default' { + Set-PodeSecurity -Type Simple -UseHsts:$UseHsts + Add-PodeSecurityContentSecurityPolicy -Default 'http', 'https' + Remove-PodeSecurityCrossOrigin + } + + 'simple' { + Set-PodeSecurity -Type Simple -UseHsts:$UseHsts + } + + 'strict' { + Set-PodeSecurity -Type Strict -UseHsts:$UseHsts + } + } + + Add-PodeSecurityContentSecurityPolicy ` + -Style 'self', 'unsafe-inline' ` + -Scripts 'self', 'unsafe-inline' ` + -Image 'self', 'data' } \ No newline at end of file diff --git a/src/Public/Utilities.ps1 b/src/Public/Utilities.ps1 index f3c14cb3..9faf7055 100644 --- a/src/Public/Utilities.ps1 +++ b/src/Public/Utilities.ps1 @@ -23,16 +23,24 @@ function Use-PodeWebTemplates [string[]] $EndpointName, + [Parameter()] + [ValidateSet('None', 'Default', 'Simple', 'Strict')] + [string] + $Security = 'Default', + [switch] $NoPageFilter, [switch] - $HideSidebar + $HideSidebar, + + [switch] + $UseHsts ) $mod = (Get-Module -Name Pode -ErrorAction Ignore | Sort-Object -Property Version -Descending | Select-Object -First 1) - if (($null -eq $mod) -or ($mod.Version -lt [version]'2.5.0')) { - throw "The Pode module is not loaded. You need at least Pode v2.5.0 to use this version of the Pode.Web module." + if (($null -eq $mod) -or ($mod.Version -lt [version]'2.6.0')) { + throw "The Pode module is not loaded. You need at least Pode v2.6.0 to use this version of the Pode.Web module." } if ([string]::IsNullOrWhiteSpace($FavIcon)) { @@ -84,6 +92,8 @@ function Use-PodeWebTemplates } } } + + Set-PodeWebSecurity -Security $Security -UseHsts:$UseHsts } function Import-PodeWebStylesheet diff --git a/src/Templates/Public/scripts/default.js b/src/Templates/Public/scripts/default.js index 28051af7..1791225d 100644 --- a/src/Templates/Public/scripts/default.js +++ b/src/Templates/Public/scripts/default.js @@ -118,11 +118,12 @@ function bindFileStreams() { } }, error: function(err) { + hideSpinner($(e).closest('div.file-stream')); + if (err.status == 416) { return; } - hideSpinner($(e).closest('div.file-stream')); $(e).attr('pode-streaming', '0'); addClass($(e).closest('div.file-stream'), 'stream-error'); hide($(e).closest('div.file-stream').find('div.card-header div div.btn-group'));