New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add common web-app security headers #4405

Merged
merged 8 commits into from Jan 23, 2019

Conversation

Projects
None yet
3 participants
@gschueler
Copy link
Member

gschueler commented Jan 22, 2019

Is this a bugfix, or an enhancement? Please describe.

Adds some default HTTP security headers to the application.

Describe the solution you've implemented

Default set of enabled security headers, and allows configuration of all headers.

  • X-Content-Type-Options: nosniff
  • X-XSS-protection: 1
  • X-Frame-Options: deny
  • Content-Security-Policy header with a default policy (and X-Content-Security-Policy, X-WebKit-CSP)
  • Optional custom headers, if security policy differs or there are new requirements.

Additional context

Improves web-app security against common attacks.

Modifies the src URL for the first-run external image loaded to use https://media.rundeck.org and allows access in the CSP.

Configuration via rundeck-config.properties

The default configuration values are shown below.

# enable security headers filter to add these headers (default: true)
rundeck.security.httpHeaders.enabled=true

#########
# enable x-content-type-options: nosniff  (default: true)
rundeck.security.httpHeaders.provider.xcto.enabled=true

#########
# enable x-xss-protection: 1  (default: true)

rundeck.security.httpHeaders.provider.xxssp.enabled=true

# Alternates for x-xss-protection:
#
# use x-xss-protection: 1; mode=block
#

# rundeck.security.httpHeaders.provider.xxssp.config.block=true

#
# use x-xss-protection: 1; report=https://some-uri

# rundeck.security.httpHeaders.provider.xxssp.config.report=https://some-uri

########
# enable x-frame-options: deny  (default: true)

rundeck.security.httpHeaders.provider.xfo.enabled=true

# Alternate settings for x-frame-options:
#
# use x-frame-options: sameorigin

# rundeck.security.httpHeaders.provider.xfo.config.sameorigin=true

#
# use x-frame-options: allow-from: src

# rundeck.security.httpHeaders.provider.xfo.config.allowFrom=src

#######
# enable Content-Security-Policy header (default:true)

rundeck.security.httpHeaders.provider.csp.enabled=true

# You can disable the `X-` variants of Content-Security-Policy if desired, but they are enabled by default:
#
# This disables the X-Content-Security-Policy header name

# rundeck.security.httpHeaders.provider.csp.config.include-xcsp-header=false

#
# This disables the X-WebKit-CSP header name

# rundeck.security.httpHeaders.provider.csp.config.include-xwkcsp-header=false

# You can specify an explicit policy, which will override directives declared below
#

# rundeck.security.httpHeaders.provider.csp.config.policy=default-src 'none'; connect-src 'self' ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; font-src 'self' data: ; img-src 'self' https://media.rundeck.org ; form-action 'self' ;

#
# Or you can specify individual directives:
#

rundeck.security.httpHeaders.provider.csp.config.default-src=none
rundeck.security.httpHeaders.provider.csp.config.connect-src=self
rundeck.security.httpHeaders.provider.csp.config.style-src=self unsafe-inline
rundeck.security.httpHeaders.provider.csp.config.script-src=self unsafe-inline unsafe-eval
rundeck.security.httpHeaders.provider.csp.config.font-src=self data:
rundeck.security.httpHeaders.provider.csp.config.img-src=self https://media.rundeck.org
rundeck.security.httpHeaders.provider.csp.config.form-action=self

#######
# enable any custom additional headers (default: false)
# 
# rundeck.security.httpHeaders.provider.custom.enabled=true
# rundeck.security.httpHeaders.provider.custom.config.name=X-Other-Security-Policy
# rundeck.security.httpHeaders.provider.custom.config.value=default-src 'none'; 
# rundeck.security.httpHeaders.provider.custom.config.name2=X-other-header
# rundeck.security.httpHeaders.provider.custom.config.value2=some value

References:

@gschueler gschueler added this to the 3.0.13 milestone Jan 22, 2019

@gschueler gschueler requested review from ProTip and sjrd218 Jan 22, 2019

@sjrd218

This comment has been minimized.

Copy link
Contributor

sjrd218 commented Jan 22, 2019

On the content-security-policy.com site it says the following: Note: It is known that having both Content-Security-Policy and X-Content-Security-Policy or X-Webkit-CSP causes unexpected behaviours on certain versions of browsers. Please avoid using deprecated X-* headers.

Should we set
rundeck.security.httpHeaders.provider.csp.config.include-xcsp-header=false
and
rundeck.security.httpHeaders.provider.csp.config.include-xwkcsp-header=false
to false by default because of that?

@ProTip

This comment has been minimized.

Copy link
Contributor

ProTip commented Jan 22, 2019

I have gone ahead and added some config options in the Docker image in case users need to switch off the new defaults:

b7f474d

@gschueler

This comment has been minimized.

Copy link
Member Author

gschueler commented Jan 22, 2019

@sjrd218 yes, good idea

@ProTip

ProTip approved these changes Jan 22, 2019

@gschueler gschueler merged commit cac2d5e into master Jan 23, 2019

20 checks passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details
security/snyk - build.gradle (rundeck) No manifest changes detected
security/snyk - core/build.gradle (rundeck) No manifest changes detected
security/snyk - plugins/build.gradle (rundeck) No manifest changes detected
security/snyk - plugins/copyfile-plugin/build.gradle (rundeck) No manifest changes detected
security/snyk - plugins/flow-control-plugin/build.gradle (rundeck) No manifest changes detected
security/snyk - plugins/git-plugin/build.gradle (rundeck) No manifest changes detected
security/snyk - plugins/jasypt-encryption-plugin/build.gradle (rundeck) No manifest changes detected
security/snyk - plugins/job-state-plugin/build.gradle (rundeck) No manifest changes detected
security/snyk - plugins/localexec-plugin/build.gradle (rundeck) No manifest changes detected
security/snyk - plugins/orchestrator-plugin/build.gradle (rundeck) No manifest changes detected
security/snyk - plugins/script-plugin/build.gradle (rundeck) No manifest changes detected
security/snyk - plugins/source-refresh-plugin/build.gradle (rundeck) No manifest changes detected
security/snyk - plugins/stub-plugin/build.gradle (rundeck) No manifest changes detected
security/snyk - plugins/upvar-plugin/build.gradle (rundeck) No manifest changes detected
security/snyk - rundeck-storage/build.gradle (rundeck) No manifest changes detected
security/snyk - rundeckapp/build.gradle (rundeck) No new issues
Details
security/snyk - rundeckapp/grails-spa/package.json (rundeck) No new issues
Details
security/snyk - rundeckapp/metricsweb/build.gradle (rundeck) No manifest changes detected
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment