-
Notifications
You must be signed in to change notification settings - Fork 5.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MinIO Console security headers #18631
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why does it need to be customizable?
CSP is required to further restrict where web resources load from (css, js, etc), specially useful to prevent XSS in MinIO Console. Is a best practice to set a restrictive CSP, also XSS it's been in OWASP Top 10 for many years and CSP is one of the recommended We are also having customers requesting this cause vuln showed up in their 3rd party pentests @harshavardhana |
We can set standard headers and be done with it. Why does it need to be customized? |
That won't work for all cases, becasue of third party services like OpenID, LDAP, etc. Anything console need to interact with from the client (browser) direcly, we'll need to know which domains to trust ie: for a XHR call to OpenID |
Can you provide examples of all the values that can be configured and what is the value that users must set? in those scenarios? I don't think adding this like a naked environment variable is going to work, that can take literally any string doesn't make sense. |
So it transfers the value from one env var to another. Why not just set the correct one from the beginning? |
We are removing all setted env variables for console and then setting only "the right ones", not my design so I can advocate for it, I am just following the established pattern @klauspost Lines 212 to 217 in 4a21dce
|
I provided a "starters" example policy as a comment @harshavardhana Althoug I cannot foresight all scenarios, cause (as the purpose of CSP is,) CSP is to constrain which domain can resources load from, is why we need to allow admin to set this value.
Which would be a preferred way? ie: we could be verify the input is a valid CSP, like by using the |
d32e452
to
f716dc3
Compare
That is because the Console's own defaults must be removed, or some user mistakenly set something for CONSOLE_ - we want them to use MINIO_ not CONSOLE_. |
Is this PR ready, or are we making any more changes?
There are 3 things that are needed - which one is covered in this PR? |
WIP, just rebased to resolve conflicts |
f716dc3
to
9c0c585
Compare
Content-Security-Policy
response header value in env variable9c0c585
to
a81e2d0
Compare
This is ready @harshavardhana |
* csp_policy * hsts_seconds * hsts_include_subdomains * hsts_preload * referrer_policy
a81e2d0
to
c97bb02
Compare
…
Community Contribution License
All community contributions in this pull request are licensed to the project maintainers
under the terms of the Apache 2 license.
By creating this pull request I represent that I have the right to license the
contributions to the project maintainers under the Apache 2 license.
Description
New config section
browser
to store Browser (console) dynamic settingsAllow set the values for response headers:
Read settings from env variables:
Settings have default values:
Content-Security-Policy
=default-src 'self' 'unsafe-eval' 'unsafe-inline';
Refferer-Policy
=strict-origin-when-cross-origin
Strict-Transport-Security
not setThis PR depends on minio/madmin-go#255 to be merge first
Motivation and Context
Application does not respond with security heades, such header help to prevent Cross-Site Scripting attacks or mitigate MITM attacks.
How to test this PR?
Types of changes
Checklist:
commit-id
orPR #
here)