From: Aline Manera <alinefm(a)br.ibm.com>
Add the following headers to Kimchi responses:
X-Frame-Options DENY;
X-Content-Type-Options nosniff;
X-XSS-Protection "1; mode=block";
And Content-Security-Policy for error pages.
Signed-off-by: Aline Manera <alinefm(a)br.ibm.com>
---
src/kimchi/root.py | 11 +++++++++++
src/nginx.conf.in | 4 ++++
2 files changed, 15 insertions(+)
diff --git a/src/kimchi/root.py b/src/kimchi/root.py
index 514d75d..8b1d09b 100644
--- a/src/kimchi/root.py
+++ b/src/kimchi/root.py
@@ -47,18 +47,29 @@ class Root(Resource):
self._cp_config = dict([(key, self.error_development_handler)
for key in self._handled_error])
+ def _set_CSP(self):
+ # set Content-Security-Policy to prevent XSS attacks
+ headers = cherrypy.response.headers
+ headers['Content-Security-Policy'] = "default-src
'self'"
+
def error_production_handler(self, status, message, traceback, version):
+ self._set_CSP()
+
data = {'code': status, 'reason': message}
res = template.render('error.html', data)
+
if (type(res) is unicode and
LooseVersion(cherrypy.__version__) < LooseVersion('3.2.5')):
res = res.encode("utf-8")
return res
def error_development_handler(self, status, message, traceback, version):
+ self._set_CSP()
+
data = {'code': status, 'reason': message,
'call_stack': cherrypy._cperror.format_exc()}
res = template.render('error.html', data)
+
if (type(res) is unicode and
LooseVersion(cherrypy.__version__) < LooseVersion('3.2.5')):
res = res.encode("utf-8")
diff --git a/src/nginx.conf.in b/src/nginx.conf.in
index 967b46b..da6358e 100644
--- a/src/nginx.conf.in
+++ b/src/nginx.conf.in
@@ -47,6 +47,10 @@ http {
ssl_certificate $cert_pem;
ssl_certificate_key $cert_key;
+ add_header X-Frame-Options DENY;
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
+
location / {
proxy_pass
http://localhost:$kimchid_port;
proxy_set_header Host $host;
--
1.7.10.4