diff --git a/api/http/handler/file/handler.go b/api/http/handler/file/handler.go
index 5af91fb9f..ec4f66b70 100644
--- a/api/http/handler/file/handler.go
+++ b/api/http/handler/file/handler.go
@@ -4,6 +4,9 @@ import (
"net/http"
"strings"
+ "github.com/portainer/portainer/api/http/security"
+ "github.com/portainer/portainer/pkg/featureflags"
+
"github.com/gorilla/handlers"
)
@@ -16,8 +19,10 @@ type Handler struct {
// NewHandler creates a handler to serve static files.
func NewHandler(assetPublicPath string, wasInstanceDisabled func() bool) *Handler {
h := &Handler{
- Handler: handlers.CompressHandler(
- http.FileServer(http.Dir(assetPublicPath)),
+ Handler: security.MWSecureHeaders(
+ handlers.CompressHandler(http.FileServer(http.Dir(assetPublicPath))),
+ featureflags.IsEnabled("hsts"),
+ featureflags.IsEnabled("csp"),
),
wasInstanceDisabled: wasInstanceDisabled,
}
@@ -53,7 +58,5 @@ func (handler *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
}
- w.Header().Add("X-XSS-Protection", "1; mode=block")
- w.Header().Add("X-Content-Type-Options", "nosniff")
handler.Handler.ServeHTTP(w, r)
}
diff --git a/api/http/security/bouncer.go b/api/http/security/bouncer.go
index 3d684a667..82df8fc5a 100644
--- a/api/http/security/bouncer.go
+++ b/api/http/security/bouncer.go
@@ -11,10 +11,11 @@ import (
"github.com/portainer/portainer/api/apikey"
"github.com/portainer/portainer/api/dataservices"
httperrors "github.com/portainer/portainer/api/http/errors"
+ "github.com/portainer/portainer/pkg/featureflags"
httperror "github.com/portainer/portainer/pkg/libhttp/error"
- "github.com/rs/zerolog/log"
"github.com/pkg/errors"
+ "github.com/rs/zerolog/log"
)
const apiKeyHeader = "X-API-KEY"
@@ -43,6 +44,8 @@ type (
jwtService portainer.JWTService
apiKeyService apikey.APIKeyService
revokedJWT sync.Map
+ hsts bool
+ csp bool
}
// RestrictedRequestContext is a data structure containing information
@@ -69,6 +72,8 @@ func NewRequestBouncer(dataStore dataservices.DataStore, jwtService portainer.JW
dataStore: dataStore,
jwtService: jwtService,
apiKeyService: apiKeyService,
+ hsts: featureflags.IsEnabled("hsts"),
+ csp: featureflags.IsEnabled("csp"),
}
go b.cleanUpExpiredJWT()
@@ -79,7 +84,7 @@ func NewRequestBouncer(dataStore dataservices.DataStore, jwtService portainer.JW
// PublicAccess defines a security check for public API endpoints.
// No authentication is required to access these endpoints.
func (bouncer *RequestBouncer) PublicAccess(h http.Handler) http.Handler {
- return mwSecureHeaders(h)
+ return MWSecureHeaders(h, bouncer.hsts, bouncer.csp)
}
// AdminAccess defines a security check for API endpoints that require an authorization check.
@@ -208,7 +213,8 @@ func (bouncer *RequestBouncer) mwAuthenticatedUser(h http.Handler) http.Handler
bouncer.CookieAuthLookup,
bouncer.JWTAuthLookup,
}, h)
- h = mwSecureHeaders(h)
+ h = MWSecureHeaders(h, bouncer.hsts, bouncer.csp)
+
return h
}
@@ -506,10 +512,17 @@ func extractAPIKey(r *http.Request) (string, bool) {
return "", false
}
-// mwSecureHeaders provides secure headers middleware for handlers.
-func mwSecureHeaders(next http.Handler) http.Handler {
+// MWSecureHeaders provides secure headers middleware for handlers.
+func MWSecureHeaders(next http.Handler, hsts, csp bool) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
- w.Header().Set("X-XSS-Protection", "1; mode=block")
+ if hsts {
+ w.Header().Set("Strict-Transport-Security", "max-age=31536000") // 365 days
+ }
+
+ if csp {
+ w.Header().Set("Content-Security-Policy", "script-src 'self' cdn.matomo.cloud")
+ }
+
w.Header().Set("X-Content-Type-Options", "nosniff")
next.ServeHTTP(w, r)
})
diff --git a/api/portainer.go b/api/portainer.go
index 5f361a459..0f7b0aa13 100644
--- a/api/portainer.go
+++ b/api/portainer.go
@@ -1653,11 +1653,15 @@ const (
// List of supported features
const (
- FeatureFdo = "fdo"
+ FeatureFdo = "fdo"
+ FeatureHSTS = "hsts"
+ FeatureCSP = "csp"
)
var SupportedFeatureFlags = []featureflags.Feature{
FeatureFdo,
+ FeatureHSTS,
+ FeatureCSP,
}
const (
diff --git a/app/index.html b/app/index.html
index 5a21bd71b..370070b48 100644
--- a/app/index.html
+++ b/app/index.html
@@ -10,19 +10,6 @@
-