From 156734311386a321bf074b831546fc761e4f4350 Mon Sep 17 00:00:00 2001
From: Avan Thakkar <athakkar@redhat.com>
Date: Thu, 11 Feb 2021 03:42:49 +0530
Subject: [PATCH] mgr/dashboard: set security headers

Fixes: https://tracker.ceph.com/issues/49243
Signed-off-by: Avan Thakkar <athakkar@redhat.com>
(cherry picked from commit 87bb3777877580f70018f4880488e264decc16e4)

 Conflicts:
	qa/tasks/mgr/dashboard/test_requests.py
	src/pybind/mgr/dashboard/services/auth.py
      - Adopted the necessary changes from the master branch.
---
 qa/tasks/mgr/dashboard/test_requests.py   | 4 ++++
 qa/tasks/mgr/test_prometheus.py           | 1 +
 src/pybind/mgr/dashboard/services/auth.py | 7 +++++++
 src/pybind/mgr/prometheus/module.py       | 3 +++
 4 files changed, 15 insertions(+)

diff --git a/qa/tasks/mgr/dashboard/test_requests.py b/qa/tasks/mgr/dashboard/test_requests.py
index 0d9f8d9ba836..eba81d673af2 100644
--- a/qa/tasks/mgr/dashboard/test_requests.py
+++ b/qa/tasks/mgr/dashboard/test_requests.py
@@ -20,4 +20,8 @@ class RequestsTest(DashboardTestCase):
         self.assertNotIn('Content-Encoding', self._resp.headers)
         self.assertHeaders({
             'Content-Type': 'application/json',
+            'server': 'Ceph-Dashboard',
+            'Content-Security-Policy': "frame-ancestors 'self';",
+            'X-Content-Type-Options': 'nosniff',
+            'Strict-Transport-Security': 'max-age=63072000; includeSubDomains; preload'
         })
diff --git a/qa/tasks/mgr/test_prometheus.py b/qa/tasks/mgr/test_prometheus.py
index 867d5cd5d6d6..7fe37a1a5f8f 100644
--- a/qa/tasks/mgr/test_prometheus.py
+++ b/qa/tasks/mgr/test_prometheus.py
@@ -49,6 +49,7 @@ class TestPrometheus(MgrTestCase):
         r = requests.get(original_uri + "metrics", allow_redirects=False)
         self.assertEqual(r.status_code, 200)
         self.assertEqual(r.headers["content-type"], "text/plain;charset=utf-8")
+        self.assertEqual(r.headers["server"], "Ceph-Prometheus")
 
     def test_urls(self):
         self._assign_ports("prometheus", "server_port")
diff --git a/src/pybind/mgr/dashboard/services/auth.py b/src/pybind/mgr/dashboard/services/auth.py
index bbb8a2ecfe11..ad07a177704a 100644
--- a/src/pybind/mgr/dashboard/services/auth.py
+++ b/src/pybind/mgr/dashboard/services/auth.py
@@ -15,6 +15,13 @@ import jwt
 from .access_control import LocalAuthenticator, UserDoesNotExist
 from .. import mgr
 
+cherrypy.config.update({
+    'response.headers.server': 'Ceph-Dashboard',
+    'response.headers.content-security-policy': "frame-ancestors 'self';",
+    'response.headers.x-content-type-options': 'nosniff',
+    'response.headers.strict-transport-security': 'max-age=63072000; includeSubDomains; preload'
+})
+
 
 class JwtManager(object):
     JWT_TOKEN_BLACKLIST_KEY = "jwt_token_black_list"
diff --git a/src/pybind/mgr/prometheus/module.py b/src/pybind/mgr/prometheus/module.py
index f3068250fd9f..d1b89495d83d 100644
--- a/src/pybind/mgr/prometheus/module.py
+++ b/src/pybind/mgr/prometheus/module.py
@@ -50,6 +50,9 @@ os._exit = os_exit_noop
 # it's a dict, the writer doesn't need to declare 'global' for access
 
 _global_instance = None  # type: Optional[Module]
+cherrypy.config.update({
+    'response.headers.server': 'Ceph-Prometheus'
+})
 
 
 def health_status_to_number(status):
-- 
2.47.3