Add Content-Security-Policy and X-Frame-Options#465
Add Content-Security-Policy and X-Frame-Options#465mtelvers merged 2 commits intoocurrent:masterfrom
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR adds security headers (X-Frame-Options and Content-Security-Policy) to mitigate clickjacking attacks in the current_web application. These headers prevent the application from being embedded in iframes, protecting administrators from being tricked into performing unwanted actions.
Key changes:
- Introduced a new
add_security_headersutility function that adds both security headers to response headers - Applied the security headers across all response generation points in the application
Reviewed Changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| lib_web/utils.ml | Added the add_security_headers helper function to centralize security header management |
| lib_web/resource.ml | Applied security headers to static file and crunched resource responses |
| lib_web/pipeline.ml | Applied security headers to SVG pipeline visualization responses |
| lib_web/log_rules.ml | Applied security headers to CSV export responses |
| lib_web/job.ml | Applied security headers to job log streaming responses |
| lib_web/current_web.ml | Applied security headers to Prometheus metrics endpoint responses |
| lib_web/context.ml | Applied security headers to session cookie responses |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
lib_web/resource.ml
Outdated
| @@ -108,6 +108,7 @@ let static ~content_type ?(max_age=86400) body = object | |||
| ("Content-Type", content_type); | |||
| ("Cache-Control", Printf.sprintf "public, max-age=%d;" max_age); | |||
There was a problem hiding this comment.
Remove trailing semicolon in Cache-Control header value. The semicolon should only be used as a separator between directives, not as a terminator.
| ("Cache-Control", Printf.sprintf "public, max-age=%d;" max_age); | |
| ("Cache-Control", Printf.sprintf "public, max-age=%d" max_age); |
lib_web/resource.ml
Outdated
| @@ -130,6 +131,7 @@ let crunch ?content_type ?(max_age=86400) _ = object | |||
| ("Content-Type", content_type); | |||
| ("Cache-Control", Printf.sprintf "public, max-age=%d;" max_age); | |||
There was a problem hiding this comment.
Remove trailing semicolon in Cache-Control header value. The semicolon should only be used as a separator between directives, not as a terminator.
| ("Cache-Control", Printf.sprintf "public, max-age=%d;" max_age); | |
| ("Cache-Control", Printf.sprintf "public, max-age=%d" max_age); |
While there is no login form with current_web as it uses OAuth authentication, there is a possible attack vector with clickjacking, whereby a malicious person may trick an administrator into needlessly rebuilding or cancelling pipeline stages.
This PR adds the recommended header options to mitigate such attacks.