Re: [Kimchi-devel] [PATCH] security: Prevent XSS attacks

From: Aline Manera <alinefm(a)br.ibm.com&gt; Add the following headers to Kimchi responses: X-Frame-Options DENY; X-Content-Type-Options nosniff; X-XSS-Protection "1; mode=block"; And Content-Security-Policy for error pages. Signed-off-by: Aline Manera <alinefm(a)br.ibm.com&gt; --- src/kimchi/root.py | 11 +++++++++++ src/nginx.conf.in | 4 ++++ 2 files changed, 15 insertions(+) diff --git a/src/kimchi/root.py b/src/kimchi/root.py index 514d75d..8b1d09b 100644 --- a/src/kimchi/root.py +++ b/src/kimchi/root.py @@ -47,18 +47,29 @@ class Root(Resource): self._cp_config = dict([(key, self.error_development_handler) for key in self._handled_error]) + def _set_CSP(self): + # set Content-Security-Policy to prevent XSS attacks + headers = cherrypy.response.headers + headers['Content-Security-Policy'] = "default-src 'self'" + def error_production_handler(self, status, message, traceback, version): + self._set_CSP() + data = {'code': status, 'reason': message} res = template.render('error.html', data) + if (type(res) is unicode and LooseVersion(cherrypy.__version__) < LooseVersion('3.2.5')): res = res.encode("utf-8") return res def error_development_handler(self, status, message, traceback, version): + self._set_CSP() + data = {'code': status, 'reason': message, 'call_stack': cherrypy._cperror.format_exc()} res = template.render('error.html', data) + if (type(res) is unicode and LooseVersion(cherrypy.__version__) < LooseVersion('3.2.5')): res = res.encode("utf-8") diff --git a/src/nginx.conf.in b/src/nginx.conf.in index 967b46b..da6358e 100644 --- a/src/nginx.conf.in +++ b/src/nginx.conf.in @@ -47,6 +47,10 @@ http { ssl_certificate $cert_pem; ssl_certificate_key $cert_key; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + location / { proxy_pass http://localhost:$kimchid_port; proxy_set_header Host $host;