[Kimchi-devel] [PATCH] security: Prevent XSS attacks

Daniel H Barboza danielhb at linux.vnet.ibm.com
Mon Apr 28 17:47:38 UTC 2014 

Reviewed-by: Daniel Barboza <danielhb at linux.vnet.ibm.com>

On 04/28/2014 10:13 AM, Aline Manera wrote:
> From: Aline Manera <alinefm at br.ibm.com>
>
> Add the following headers to Kimchi responses:
>
> X-Frame-Options DENY;
> X-Content-Type-Options nosniff;
> X-XSS-Protection "1; mode=block";
>
> And Content-Security-Policy for error pages.
>
> Signed-off-by: Aline Manera <alinefm at br.ibm.com>
> ---
>   src/kimchi/root.py |   11 +++++++++++
>   src/nginx.conf.in  |    4 ++++
>   2 files changed, 15 insertions(+)
>
> diff --git a/src/kimchi/root.py b/src/kimchi/root.py
> index 514d75d..8b1d09b 100644
> --- a/src/kimchi/root.py
> +++ b/src/kimchi/root.py
> @@ -47,18 +47,29 @@ class Root(Resource):
>               self._cp_config = dict([(key, self.error_development_handler)
>                                       for key in self._handled_error])
>
> +    def _set_CSP(self):
> +        # set Content-Security-Policy to prevent XSS attacks
> +        headers = cherrypy.response.headers
> +        headers['Content-Security-Policy'] = "default-src 'self'"
> +
>       def error_production_handler(self, status, message, traceback, version):
> +        self._set_CSP()
> +
>           data = {'code': status, 'reason': message}
>           res = template.render('error.html', data)
> +
>           if (type(res) is unicode and
>                   LooseVersion(cherrypy.__version__) < LooseVersion('3.2.5')):
>               res = res.encode("utf-8")
>           return res
>
>       def error_development_handler(self, status, message, traceback, version):
> +        self._set_CSP()
> +
>           data = {'code': status, 'reason': message,
>                   'call_stack': cherrypy._cperror.format_exc()}
>           res = template.render('error.html', data)
> +
>           if (type(res) is unicode and
>                   LooseVersion(cherrypy.__version__) < LooseVersion('3.2.5')):
>               res = res.encode("utf-8")
> diff --git a/src/nginx.conf.in b/src/nginx.conf.in
> index 967b46b..da6358e 100644
> --- a/src/nginx.conf.in
> +++ b/src/nginx.conf.in
> @@ -47,6 +47,10 @@ http {
>           ssl_certificate $cert_pem;
>           ssl_certificate_key $cert_key;
>
> +        add_header X-Frame-Options DENY;
> +        add_header X-Content-Type-Options nosniff;
> +        add_header X-XSS-Protection "1; mode=block";
> +
>           location / {
>               proxy_pass http://localhost:$kimchid_port;
>               proxy_set_header Host $host;

More information about the Kimchi-devel mailing list