Skip to content
Permalink
Browse files Browse the repository at this point in the history
feat(security): update secured headers and sanitize team name
  • Loading branch information
deviantony committed Aug 15, 2018
1 parent 594daf0 commit 1ad150c
Show file tree
Hide file tree
Showing 3 changed files with 9 additions and 4 deletions.
4 changes: 4 additions & 0 deletions api/http/handler/file/handler.go
Expand Up @@ -33,5 +33,9 @@ func (handler *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
} else {
w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
}

w.Header().Add("X-Frame-Options", "DENY")
w.Header().Add("X-XSS-Protection", "1; mode=block")
w.Header().Add("X-Content-Type-Options", "nosniff")
handler.Handler.ServeHTTP(w, r)
}
3 changes: 2 additions & 1 deletion api/http/security/bouncer.go
Expand Up @@ -114,8 +114,9 @@ func (bouncer *RequestBouncer) EndpointAccess(r *http.Request, endpoint *portain
// mwSecureHeaders provides secure headers middleware for handlers.
func mwSecureHeaders(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Header().Add("X-Content-Type-Options", "nosniff")
w.Header().Add("X-Frame-Options", "DENY")
w.Header().Add("X-XSS-Protection", "1; mode=block")
w.Header().Add("X-Content-Type-Options", "nosniff")
next.ServeHTTP(w, r)
})
}
Expand Down
6 changes: 3 additions & 3 deletions app/portainer/views/teams/teamsController.js
@@ -1,6 +1,6 @@
angular.module('portainer.app')
.controller('TeamsController', ['$q', '$scope', '$state', 'TeamService', 'UserService', 'ModalService', 'Notifications', 'Authentication',
function ($q, $scope, $state, TeamService, UserService, ModalService, Notifications, Authentication) {
.controller('TeamsController', ['$q', '$scope', '$state', '$sanitize', 'TeamService', 'UserService', 'ModalService', 'Notifications', 'Authentication',
function ($q, $scope, $state, $sanitize, TeamService, UserService, ModalService, Notifications, Authentication) {
$scope.state = {
actionInProgress: false
};
Expand All @@ -22,7 +22,7 @@ function ($q, $scope, $state, TeamService, UserService, ModalService, Notificati
};

$scope.addTeam = function() {
var teamName = $scope.formValues.Name;
var teamName = $sanitize($scope.formValues.Name);
var leaderIds = [];
angular.forEach($scope.formValues.Leaders, function(user) {
leaderIds.push(user.Id);
Expand Down

0 comments on commit 1ad150c

Please sign in to comment.