diff options
4 files changed, 51 insertions, 0 deletions
diff --git a/staging_vespalib/src/tests/state_server/state_server_test.cpp b/staging_vespalib/src/tests/state_server/state_server_test.cpp index 6c7397a1719..e61d3d216cd 100644 --- a/staging_vespalib/src/tests/state_server/state_server_test.cpp +++ b/staging_vespalib/src/tests/state_server/state_server_test.cpp @@ -87,6 +87,12 @@ TEST_FF("require that non-empty known url returns expected headers", DummyHandle "Connection: close\r\n" "Content-Type: application/json\r\n" "Content-Length: 5\r\n" + "X-XSS-Protection: 1; mode=block\r\n" + "X-Frame-Options: DENY\r\n" + "Content-Security-Policy: default-src 'none'\r\n" + "X-Content-Type-Options: nosniff\r\n" + "Cache-Control: no-store\r\n" + "Pragma: no-cache\r\n" "\r\n" "[123]"); std::string actual = getFull(f2.port(), my_path); diff --git a/storage/src/tests/frameworkimpl/status/statustest.cpp b/storage/src/tests/frameworkimpl/status/statustest.cpp index e7d0d496cc8..81d91e2f08a 100644 --- a/storage/src/tests/frameworkimpl/status/statustest.cpp +++ b/storage/src/tests/frameworkimpl/status/statustest.cpp @@ -115,6 +115,12 @@ TEST_F(StatusTest, index_status_page) { "Connection: close\r\n" "Content-Type: text\\/html\r\n" "Content-Length: [0-9]+\r\n" + "X-XSS-Protection: 1; mode=block\r\n" + "X-Frame-Options: DENY\r\n" + "Content-Security-Policy: default-src 'none'\r\n" + "X-Content-Type-Options: nosniff\r\n" + "Cache-Control: no-store\r\n" + "Pragma: no-cache\r\n" "\r\n" "<html>\n" "<head>\n" @@ -144,6 +150,12 @@ TEST_F(StatusTest, html_status) { "Connection: close\r\n" "Content-Type: text/html\r\n" "Content-Length: 117\r\n" + "X-XSS-Protection: 1; mode=block\r\n" + "X-Frame-Options: DENY\r\n" + "Content-Security-Policy: default-src 'none'\r\n" + "X-Content-Type-Options: nosniff\r\n" + "Cache-Control: no-store\r\n" + "Pragma: no-cache\r\n" "\r\n" "<html>\n" "<head>\n" @@ -170,6 +182,12 @@ TEST_F(StatusTest, xml_sStatus) { "Connection: close\r\n" "Content-Type: application/xml\r\n" "Content-Length: 100\r\n" + "X-XSS-Protection: 1; mode=block\r\n" + "X-Frame-Options: DENY\r\n" + "Content-Security-Policy: default-src 'none'\r\n" + "X-Content-Type-Options: nosniff\r\n" + "Cache-Control: no-store\r\n" + "Pragma: no-cache\r\n" "\r\n" "<?xml version=\"1.0\"?>\n" "<status id=\"fooid\" name=\"Foo impl\">\n" diff --git a/vespalib/src/tests/portal/portal_test.cpp b/vespalib/src/tests/portal/portal_test.cpp index 1baebc69e97..e54700306fe 100644 --- a/vespalib/src/tests/portal/portal_test.cpp +++ b/vespalib/src/tests/portal/portal_test.cpp @@ -48,6 +48,12 @@ vespalib::string make_expected_response(const vespalib::string &content_type, co "Connection: close\r\n" "Content-Type: %s\r\n" "Content-Length: %zu\r\n" + "X-XSS-Protection: 1; mode=block\r\n" + "X-Frame-Options: DENY\r\n" + "Content-Security-Policy: default-src 'none'\r\n" + "X-Content-Type-Options: nosniff\r\n" + "Cache-Control: no-store\r\n" + "Pragma: no-cache\r\n" "\r\n" "%s", content_type.c_str(), content.size(), content.c_str()); } diff --git a/vespalib/src/vespa/vespalib/portal/http_connection.cpp b/vespalib/src/vespa/vespalib/portal/http_connection.cpp index 97a5f6082c9..aa2c0ec4cdd 100644 --- a/vespalib/src/vespa/vespalib/portal/http_connection.cpp +++ b/vespalib/src/vespa/vespalib/portal/http_connection.cpp @@ -90,6 +90,26 @@ WriteRes half_close(CryptoSocket &socket) { } } +/** + * Emit a basic set of HTTP security headers meant to minimize any impact + * in the case of unsanitized/unescaped data making its way to an internal + * status page. + */ +void emit_http_security_headers(OutputWriter &dst) { + // Reject detected cross-site scripting attacks + dst.printf("X-XSS-Protection: 1; mode=block\r\n"); + // Do not allow embedding via iframe (clickjacking prevention) + dst.printf("X-Frame-Options: DENY\r\n"); + // Do not allow _anything_ to be externally loaded, nor inline scripts + // etc to be executed. + dst.printf("Content-Security-Policy: default-src 'none'\r\n"); + // No heuristic auto-inference of content-type based on payload. + dst.printf("X-Content-Type-Options: nosniff\r\n"); + // Don't store any potentially sensitive data in any caches. + dst.printf("Cache-Control: no-store\r\n"); + dst.printf("Pragma: no-cache\r\n"); +} + } // namespace vespalib::portal::<unnamed> void @@ -223,6 +243,7 @@ HttpConnection::respond_with_content(const vespalib::string &content_type, dst.printf("Connection: close\r\n"); dst.printf("Content-Type: %s\r\n", content_type.c_str()); dst.printf("Content-Length: %zu\r\n", content.size()); + emit_http_security_headers(dst); dst.printf("\r\n"); dst.write(content.data(), content.size()); } |