From 87bb3777877580f70018f4880488e264decc16e4 Mon Sep 17 00:00:00 2001 From: Avan Thakkar Date: Thu, 11 Feb 2021 03:42:49 +0530 Subject: [PATCH] mgr/dashboard: set security headers Fixes: https://tracker.ceph.com/issues/49243 Signed-off-by: Avan Thakkar --- qa/tasks/mgr/dashboard/test_requests.py | 5 ++++- qa/tasks/mgr/test_prometheus.py | 1 + src/pybind/mgr/dashboard/services/auth.py | 5 ++++- src/pybind/mgr/prometheus/module.py | 3 +++ 4 files changed, 12 insertions(+), 2 deletions(-) diff --git a/qa/tasks/mgr/dashboard/test_requests.py b/qa/tasks/mgr/dashboard/test_requests.py index 376f9bba4d1..93b175bfda0 100644 --- a/qa/tasks/mgr/dashboard/test_requests.py +++ b/qa/tasks/mgr/dashboard/test_requests.py @@ -27,5 +27,8 @@ class RequestsTest(DashboardTestCase): self._get('/api/summary') self.assertHeaders({ 'server': 'Ceph-Dashboard', - 'Content-Type': 'application/vnd.ceph.api.v{}+json'.format(DEFAULT_VERSION) + 'Content-Type': 'application/vnd.ceph.api.v{}+json'.format(DEFAULT_VERSION), + 'Content-Security-Policy': "frame-ancestors 'self';", + 'X-Content-Type-Options': 'nosniff', + 'Strict-Transport-Security': 'max-age=63072000; includeSubDomains; preload' }) diff --git a/qa/tasks/mgr/test_prometheus.py b/qa/tasks/mgr/test_prometheus.py index 63a4abe00db..376556ab305 100644 --- a/qa/tasks/mgr/test_prometheus.py +++ b/qa/tasks/mgr/test_prometheus.py @@ -48,6 +48,7 @@ class TestPrometheus(MgrTestCase): r = requests.get(original_uri + "metrics", allow_redirects=False) self.assertEqual(r.status_code, 200) self.assertEqual(r.headers["content-type"], "text/plain;charset=utf-8") + self.assertEqual(r.headers["server"], "Ceph-Prometheus") def test_urls(self): self._assign_ports("prometheus", "server_port") diff --git a/src/pybind/mgr/dashboard/services/auth.py b/src/pybind/mgr/dashboard/services/auth.py index c44963ca7ed..a3f16543001 100644 --- a/src/pybind/mgr/dashboard/services/auth.py +++ b/src/pybind/mgr/dashboard/services/auth.py @@ -16,7 +16,10 @@ from .. import mgr from .access_control import LocalAuthenticator, UserDoesNotExist cherrypy.config.update({ - 'response.headers.server': 'Ceph-Dashboard' + 'response.headers.server': 'Ceph-Dashboard', + 'response.headers.content-security-policy': "frame-ancestors 'self';", + 'response.headers.x-content-type-options': 'nosniff', + 'response.headers.strict-transport-security': 'max-age=63072000; includeSubDomains; preload' }) diff --git a/src/pybind/mgr/prometheus/module.py b/src/pybind/mgr/prometheus/module.py index ac586684a25..58c047c1348 100644 --- a/src/pybind/mgr/prometheus/module.py +++ b/src/pybind/mgr/prometheus/module.py @@ -50,6 +50,9 @@ os._exit = os_exit_noop # it's a dict, the writer doesn't need to declare 'global' for access _global_instance = None # type: Optional[Module] +cherrypy.config.update({ + 'response.headers.server': 'Ceph-Prometheus' +}) def health_status_to_number(status): -- 2.39.5