From 59b37b19f1cbdc9d57476727bfa497bf303c11e8 Mon Sep 17 00:00:00 2001 From: Mike Dalessio Date: Thu, 13 Sep 2018 07:20:43 -0400 Subject: [PATCH] ops files for valid x-frame-options settings These mutually-exclusive ops files configure x-frame-options to help prevent clickjacking attacks. --- .../operations/x-frame-options-allow-from.yml | 21 +++++++++++++++++++ cluster/operations/x-frame-options-deny.yml | 18 ++++++++++++++++ .../operations/x-frame-options-sameorigin.yml | 18 ++++++++++++++++ 3 files changed, 57 insertions(+) create mode 100644 cluster/operations/x-frame-options-allow-from.yml create mode 100644 cluster/operations/x-frame-options-deny.yml create mode 100644 cluster/operations/x-frame-options-sameorigin.yml diff --git a/cluster/operations/x-frame-options-allow-from.yml b/cluster/operations/x-frame-options-allow-from.yml new file mode 100644 index 0000000..05a95c1 --- /dev/null +++ b/cluster/operations/x-frame-options-allow-from.yml @@ -0,0 +1,21 @@ +# +# This operations file will configure atc to include this HTTP header: +# +# X-Frame-Options: allow-from https://example.com/ +# +# You can read more about this header and how it might help prevent +# clickjacking attacks [here][1]. +# +# [1]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options +# +# The following URI parameter is required: +# +# x_frame_options_allow_from: +# +# It is mutually-exclusive with the other two x-frame-options*.yml +# operations files. +# +--- +- type: replace + path: /instance_groups/name=web/jobs/name=atc/properties/x_frame_options? + value: "allow ((x_frame_options_allow_from))" diff --git a/cluster/operations/x-frame-options-deny.yml b/cluster/operations/x-frame-options-deny.yml new file mode 100644 index 0000000..5af47a5 --- /dev/null +++ b/cluster/operations/x-frame-options-deny.yml @@ -0,0 +1,18 @@ +# +# This operations file will configure atc to include this HTTP header: +# +# X-Frame-Options: deny +# +# You can read more about this header and how it might help prevent +# clickjacking attacks [here][1]. +# +# [1]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options +# +# There are no configurable parameters associated with this +# operations file, and it is mutually-exclusive with the other two +# x-frame-options*.yml operations files. +# +--- +- type: replace + path: /instance_groups/name=web/jobs/name=atc/properties/x_frame_options? + value: "deny" diff --git a/cluster/operations/x-frame-options-sameorigin.yml b/cluster/operations/x-frame-options-sameorigin.yml new file mode 100644 index 0000000..6632fff --- /dev/null +++ b/cluster/operations/x-frame-options-sameorigin.yml @@ -0,0 +1,18 @@ +# +# This operations file will configure atc to include this HTTP header: +# +# X-Frame-Options: sameorigin +# +# You can read more about this header and how it might help prevent +# clickjacking attacks [here][1]. +# +# [1]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options +# +# There are no configurable parameters associated with this +# operations file, and it is mutually-exclusive with the other two +# x-frame-options*.yml operations files. +# +--- +- type: replace + path: /instance_groups/name=web/jobs/name=atc/properties/x_frame_options? + value: "sameorigin"