Project

General

Profile

Cleanup #49243

Feature #47765: mgr/dashboard: security improvements

Cleanup #47341: mgr/dashboard: securing CherryPy

mgr/dashboard: set XFrame options and Content Security Policy headers

Added by Avan Thakkar 15 days ago. Updated 3 days ago.

Status:
Pending Backport
Priority:
Normal
Assignee:
Category:
dashboard/backend
Target version:
% Done:

0%

Tags:
Backport:
nautilus, octopus, pacific
Reviewed:
Affected Versions:
Pull request ID:

Related issues

Copied to mgr - Backport #49420: nautilus: mgr/dashboard: set XFrame options and Content Security Policy headers Resolved
Copied to mgr - Backport #49421: octopus: mgr/dashboard: set XFrame options and Content Security Policy headers In Progress
Copied to mgr - Backport #49422: pacific: mgr/dashboard: set XFrame options and Content Security Policy headers In Progress

History

#1 Updated by Avan Thakkar 15 days ago

  • Category set to dashboard/backend

#2 Updated by Avan Thakkar 15 days ago

  • Pull request ID set to 39405

#3 Updated by Ernesto Puerta 14 days ago

More funny headers ongoing. I run nikto through dashboard and got:

# nikto -h https://localhost:11000
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
    LANGUAGE = (unset),
    LC_ALL = (unset),
    LANG = "en_US.UTF-8" 
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
- ***** RFIURL is not defined in nikto.conf--no RFI tests will run *****
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          127.0.0.1
+ Target Hostname:    localhost
+ Target Port:        11000
---------------------------------------------------------------------------
+ SSL Info:        Subject:  /O=IT/CN=ceph-dashboard
                   Ciphers:  TLS_AES_256_GCM_SHA384
                   Issuer:   /O=IT/CN=ceph-dashboard
+ Start Time:         2021-02-12 11:06:45 (GMT0)
---------------------------------------------------------------------------
+ Server: CherryPy/18.4.0
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Hostname 'localhost' does not match certificate's names: ceph-dashboard
+ The Content-Encoding header is set to "deflate" this may mean that the server is vulnerable to the BREACH attack.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ Server banner has changed from 'CherryPy/18.4.0' to '::' which may suggest a WAF, load balancer or proxy is in place
+ 4927 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2021-02-12 11:07:24 (GMT0) (39 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

#4 Updated by Avan Thakkar 14 days ago

Ernesto Puerta wrote:

More funny headers ongoing. I run nikto through dashboard and got:
[...]

Setting X-frame option header doesn't make sense here as CSP header is already set with `frame-ancestors`. See here https://www.w3.org/TR/CSP2/#frame-ancestors-and-frame-options. And X-XSS-Protection header is not recommended https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection , as it can only be useful in case of old browser which don't have CSP header set. I will look for X-Content-Type-Options header and other headers which can be added.

#5 Updated by Avan Thakkar 3 days ago

  • Status changed from In Progress to Pending Backport

#6 Updated by Avan Thakkar 3 days ago

  • Backport set to nautilus, octopus, pacific

#7 Updated by Backport Bot 3 days ago

  • Copied to Backport #49420: nautilus: mgr/dashboard: set XFrame options and Content Security Policy headers added

#8 Updated by Backport Bot 3 days ago

  • Copied to Backport #49421: octopus: mgr/dashboard: set XFrame options and Content Security Policy headers added

#9 Updated by Backport Bot 3 days ago

  • Copied to Backport #49422: pacific: mgr/dashboard: set XFrame options and Content Security Policy headers added

Also available in: Atom PDF