[GSoC2024] Added additional security headers #7626
Conversation
Added headers for: X-Frame-Options, Referrer-Policy, X-Content-Type-Options, Content-Security-Policy
Added headers for: X-Frame-Options, Referrer-Policy, X-Content-Type-Options, Content-Security-Policy
| add_header Referrer-Policy "strict-origin-when-cross-origin"; | ||
| add_header X-Content-Type-Options "nosniff"; |
There was a problem hiding this comment.
| add_header Referrer-Policy "strict-origin-when-cross-origin"; | |
| add_header X-Content-Type-Options "nosniff"; | |
| add_header Referrer-Policy "strict-origin-when-cross-origin" always; | |
| add_header X-Content-Type-Options "nosniff" always; |
Same for the other file.
cvat-ui/react_nginx.conf
Outdated
| @@ -21,6 +21,9 @@ server { | |||
| add_header Cross-Origin-Embedder-Policy "credentialless"; | |||
| add_header Expires 0; | |||
| add_header X-Frame-Options "deny"; | |||
| add_header Referrer-Policy "strict-origin-when-cross-origin"; | |||
| add_header X-Content-Type-Options "nosniff"; | |||
| add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always; | |||
There was a problem hiding this comment.
I already said this in #7398, but you did not address it: this CSP allows basically everything, so it's pretty useless. Can you come up with a more stringent policy?
|
@SpecLad I have added a more specific policy. Can you review what needs to be allowed/disallowed? I'll fix it asap. |
| @@ -21,6 +21,9 @@ server { | |||
| add_header Cross-Origin-Embedder-Policy "credentialless"; | |||
| add_header Expires 0; | |||
| add_header X-Frame-Options "deny"; | |||
| add_header Referrer-Policy "strict-origin-when-cross-origin"; | |||
| add_header X-Content-Type-Options "nosniff"; | |||
| add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https://app.cvat.ai; font-src 'self' https://fonts.gstatic.com; frame-src 'none'; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; manifest-src 'self'; worker-src 'self'; | |||
There was a problem hiding this comment.
script-src 'unsafe-inline' nullifies most of the advantages of CSP - are you sure it is needed?
https://app.cvat.ai should not be in there - it's specific to our CVAT instance, and is already covered by 'self'.
| add_header X-Frame-Options "deny"; | ||
| add_header Referrer-Policy "strict-origin-when-cross-origin"; | ||
| add_header X-Content-Type-Options "nosniff"; |
There was a problem hiding this comment.
You seem to have added duplicate headers.
| add_header X-Frame-Options "deny"; | ||
| add_header Referrer-Policy "strict-origin-when-cross-origin"; | ||
| add_header X-Content-Type-Options "nosniff"; | ||
| add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https://app.cvat.ai; font-src 'self' https://fonts.gstatic.com; frame-src 'none'; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; manifest-src 'self'; worker-src 'self'; |
There was a problem hiding this comment.
This config will likely require a different CSP, because this instance of NGINX hosts the backend, so it should allow resources referenced by pages generated by backend. In particular, you should examine the external resources loaded by pages like:
https://<domain>/api/docs/https://<domain>/api/swagger/https://<domain>/api/about/https://<domain>/django-rq/https://<domain>/admin/
| @@ -0,0 +1,4 @@ | |||
| ### Security | |||
There was a problem hiding this comment.
The Security category is for security fixes. This PR is not a fix, it's more of a hardening; so I think this entry belongs in the Added category.
| @@ -0,0 +1,4 @@ | |||
| ### Security | |||
|
|
|||
| - Added security headers. | |||
There was a problem hiding this comment.
Please list which headers were added.
|
@mach-12 , will have you time to finish the PR? |
|
Yes @nmanovic it's on the way. I did a security audit and I'm adding the CSP to address the issues. I also found an XSS in the Django admin dashboard. |
|
Hi, To avoid delaying this PR, let's limit the scope. Content-Security-Policy is complicated, and fairly risky to introduce, and we shouldn't hold off on adding the other two headers in this PR until we get CSP right. Let's just exclude CSP for now. |
I don't understand what you want me to review. It's just a list of URLs.
Can you elaborate? |
|
Seeing as you haven't replied for over a week, I'm going to close this. If you'd like to go back and finish this, I suggest that you reopen it, and remove the CSP header as I've proposed previously. The other two headers are fairly trivial, so we should be able to get the PR in working order quickly. |
Fixes #7398
Added security headers for Referrer-Policy, X-Content-Type-Options, Content-Security-Policy.
Motivation and context
Referring to Issue #7398, Added additional security headers. Added to address the deduction in security score rating third party scanners.
Referrer-Policy "strict-origin-when-cross-origin";: Limit the referrer information sent when a user navigates away from the websiteX-Content-Type-Options "nosniff";: Prevent browsers from attempting to MIME-sniff the content type of a response to reduce risk of XSS and Content InjectionContent-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;: Set rules to limit what resources a browser can load from out site to reduce the risk of XSS and Data Injection.How has this been tested?
Checklist
developbranch(cvat-canvas,
cvat-core,
cvat-data and
cvat-ui)
License
Feel free to contact the maintainers if that's a concern.