[Kimchi-devel] [PATCH] security: Prevent XSS attacks

Aline Manera alinefm at linux.vnet.ibm.com
Mon Apr 28 13:13:09 UTC 2014 

From: Aline Manera <alinefm at br.ibm.com>

Add the following headers to Kimchi responses:

X-Frame-Options DENY;
X-Content-Type-Options nosniff;
X-XSS-Protection "1; mode=block";

And Content-Security-Policy for error pages.

Signed-off-by: Aline Manera <alinefm at br.ibm.com>
---
 src/kimchi/root.py |   11 +++++++++++
 src/nginx.conf.in  |    4 ++++
 2 files changed, 15 insertions(+)

diff --git a/src/kimchi/root.py b/src/kimchi/root.py
index 514d75d..8b1d09b 100644
--- a/src/kimchi/root.py
+++ b/src/kimchi/root.py
@@ -47,18 +47,29 @@ class Root(Resource):
             self._cp_config = dict([(key, self.error_development_handler)
                                     for key in self._handled_error])
 
+    def _set_CSP(self):
+        # set Content-Security-Policy to prevent XSS attacks
+        headers = cherrypy.response.headers
+        headers['Content-Security-Policy'] = "default-src 'self'"
+
     def error_production_handler(self, status, message, traceback, version):
+        self._set_CSP()
+
         data = {'code': status, 'reason': message}
         res = template.render('error.html', data)
+
         if (type(res) is unicode and
                 LooseVersion(cherrypy.__version__) < LooseVersion('3.2.5')):
             res = res.encode("utf-8")
         return res
 
     def error_development_handler(self, status, message, traceback, version):
+        self._set_CSP()
+
         data = {'code': status, 'reason': message,
                 'call_stack': cherrypy._cperror.format_exc()}
         res = template.render('error.html', data)
+
         if (type(res) is unicode and
                 LooseVersion(cherrypy.__version__) < LooseVersion('3.2.5')):
             res = res.encode("utf-8")
diff --git a/src/nginx.conf.in b/src/nginx.conf.in
index 967b46b..da6358e 100644
--- a/src/nginx.conf.in
+++ b/src/nginx.conf.in
@@ -47,6 +47,10 @@ http {
         ssl_certificate $cert_pem;
         ssl_certificate_key $cert_key;
 
+        add_header X-Frame-Options DENY;
+        add_header X-Content-Type-Options nosniff;
+        add_header X-XSS-Protection "1; mode=block";
+
         location / {
             proxy_pass http://localhost:$kimchid_port;
             proxy_set_header Host $host;
-- 
1.7.10.4

More information about the Kimchi-devel mailing list