[GSoC2024] Added additional security headers (#7752)

Added security headers for Referrer-Policy, X-Content-Type-Options. Referring to Issue #7398, Added additional security headers. Added to address the deduction in security score rating third party scanners. - Referrer-Policy "strict-origin-when-cross-origin";: Limit the referrer information sent when a user navigates away from the website - X-Content-Type-Options "nosniff";: Prevent browsers from attempting to MIME-sniff the content type of a response to reduce risk of XSS and Content Injection Co-authored-by: Roman Donchenko <rdonchen@outlook.com>
cvat-ai · May 20, 2024 · 146e188 · 146e188
1 parent cfcac93
commit 146e188
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 0 deletions.
diff --git a/changelog.d/20240319_014508_mann.compi.md b/changelog.d/20240319_014508_mann.compi.md
@@ -0,0 +1,4 @@
+### Added
+
+- Added security headers enforcing strict `Referrer-Policy` for cross origins and disabling MIME type sniffing via `X-Content-Type-Options`.
+  (<https://github.com/opencv/cvat/pull/7752>)
diff --git a/cvat-ui/react_nginx.conf b/cvat-ui/react_nginx.conf
@@ -26,6 +26,8 @@ server {
         add_header Cross-Origin-Embedder-Policy "credentialless";
         add_header Expires 0;
         add_header X-Frame-Options "deny";
+        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+        add_header X-Content-Type-Options "nosniff" always; 
     }
 
     location /assets {

diff --git a/cvat/nginx.conf b/cvat/nginx.conf
@@ -47,6 +47,8 @@ http {
     client_max_body_size 1G;
 
     add_header X-Frame-Options deny;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header X-Content-Type-Options "nosniff" always;
 
     server_name _;