diff --git a/api/http/handler/file/handler.go b/api/http/handler/file/handler.go index 5af91fb9f..ec4f66b70 100644 --- a/api/http/handler/file/handler.go +++ b/api/http/handler/file/handler.go @@ -4,6 +4,9 @@ import ( "net/http" "strings" + "github.com/portainer/portainer/api/http/security" + "github.com/portainer/portainer/pkg/featureflags" + "github.com/gorilla/handlers" ) @@ -16,8 +19,10 @@ type Handler struct { // NewHandler creates a handler to serve static files. func NewHandler(assetPublicPath string, wasInstanceDisabled func() bool) *Handler { h := &Handler{ - Handler: handlers.CompressHandler( - http.FileServer(http.Dir(assetPublicPath)), + Handler: security.MWSecureHeaders( + handlers.CompressHandler(http.FileServer(http.Dir(assetPublicPath))), + featureflags.IsEnabled("hsts"), + featureflags.IsEnabled("csp"), ), wasInstanceDisabled: wasInstanceDisabled, } @@ -53,7 +58,5 @@ func (handler *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) { w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate") } - w.Header().Add("X-XSS-Protection", "1; mode=block") - w.Header().Add("X-Content-Type-Options", "nosniff") handler.Handler.ServeHTTP(w, r) } diff --git a/api/http/security/bouncer.go b/api/http/security/bouncer.go index 3d684a667..82df8fc5a 100644 --- a/api/http/security/bouncer.go +++ b/api/http/security/bouncer.go @@ -11,10 +11,11 @@ import ( "github.com/portainer/portainer/api/apikey" "github.com/portainer/portainer/api/dataservices" httperrors "github.com/portainer/portainer/api/http/errors" + "github.com/portainer/portainer/pkg/featureflags" httperror "github.com/portainer/portainer/pkg/libhttp/error" - "github.com/rs/zerolog/log" "github.com/pkg/errors" + "github.com/rs/zerolog/log" ) const apiKeyHeader = "X-API-KEY" @@ -43,6 +44,8 @@ type ( jwtService portainer.JWTService apiKeyService apikey.APIKeyService revokedJWT sync.Map + hsts bool + csp bool } // RestrictedRequestContext is a data structure containing information @@ -69,6 +72,8 @@ func NewRequestBouncer(dataStore dataservices.DataStore, jwtService portainer.JW dataStore: dataStore, jwtService: jwtService, apiKeyService: apiKeyService, + hsts: featureflags.IsEnabled("hsts"), + csp: featureflags.IsEnabled("csp"), } go b.cleanUpExpiredJWT() @@ -79,7 +84,7 @@ func NewRequestBouncer(dataStore dataservices.DataStore, jwtService portainer.JW // PublicAccess defines a security check for public API endpoints. // No authentication is required to access these endpoints. func (bouncer *RequestBouncer) PublicAccess(h http.Handler) http.Handler { - return mwSecureHeaders(h) + return MWSecureHeaders(h, bouncer.hsts, bouncer.csp) } // AdminAccess defines a security check for API endpoints that require an authorization check. @@ -208,7 +213,8 @@ func (bouncer *RequestBouncer) mwAuthenticatedUser(h http.Handler) http.Handler bouncer.CookieAuthLookup, bouncer.JWTAuthLookup, }, h) - h = mwSecureHeaders(h) + h = MWSecureHeaders(h, bouncer.hsts, bouncer.csp) + return h } @@ -506,10 +512,17 @@ func extractAPIKey(r *http.Request) (string, bool) { return "", false } -// mwSecureHeaders provides secure headers middleware for handlers. -func mwSecureHeaders(next http.Handler) http.Handler { +// MWSecureHeaders provides secure headers middleware for handlers. +func MWSecureHeaders(next http.Handler, hsts, csp bool) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - w.Header().Set("X-XSS-Protection", "1; mode=block") + if hsts { + w.Header().Set("Strict-Transport-Security", "max-age=31536000") // 365 days + } + + if csp { + w.Header().Set("Content-Security-Policy", "script-src 'self' cdn.matomo.cloud") + } + w.Header().Set("X-Content-Type-Options", "nosniff") next.ServeHTTP(w, r) }) diff --git a/api/portainer.go b/api/portainer.go index 5f361a459..0f7b0aa13 100644 --- a/api/portainer.go +++ b/api/portainer.go @@ -1653,11 +1653,15 @@ const ( // List of supported features const ( - FeatureFdo = "fdo" + FeatureFdo = "fdo" + FeatureHSTS = "hsts" + FeatureCSP = "csp" ) var SupportedFeatureFlags = []featureflags.Feature{ FeatureFdo, + FeatureHSTS, + FeatureCSP, } const ( diff --git a/app/index.html b/app/index.html index 5a21bd71b..370070b48 100644 --- a/app/index.html +++ b/app/index.html @@ -10,19 +10,6 @@ -