Cleanup #49243
Feature #47765: mgr/dashboard: security improvements
Cleanup #47341: mgr/dashboard: securing CherryPy
mgr/dashboard: set XFrame options and Content Security Policy headers
Status:
Pending Backport
Priority:
Normal
Assignee:
Category:
dashboard/backend
Target version:
% Done:
0%
Tags:
Backport:
nautilus, octopus, pacific
Reviewed:
Affected Versions:
Pull request ID:
Related issues
History
#1 Updated by Avan Thakkar 15 days ago
- Category set to dashboard/backend
#2 Updated by Avan Thakkar 15 days ago
- Pull request ID set to 39405
#3 Updated by Ernesto Puerta 14 days ago
More funny headers ongoing. I run nikto through dashboard and got:
# nikto -h https://localhost:11000 perl: warning: Setting locale failed. perl: warning: Please check that your locale settings: LANGUAGE = (unset), LC_ALL = (unset), LANG = "en_US.UTF-8" are supported and installed on your system. perl: warning: Falling back to the standard locale ("C"). - ***** RFIURL is not defined in nikto.conf--no RFI tests will run ***** - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 127.0.0.1 + Target Hostname: localhost + Target Port: 11000 --------------------------------------------------------------------------- + SSL Info: Subject: /O=IT/CN=ceph-dashboard Ciphers: TLS_AES_256_GCM_SHA384 Issuer: /O=IT/CN=ceph-dashboard + Start Time: 2021-02-12 11:06:45 (GMT0) --------------------------------------------------------------------------- + Server: CherryPy/18.4.0 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The site uses SSL and the Strict-Transport-Security HTTP header is not defined. + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + Hostname 'localhost' does not match certificate's names: ceph-dashboard + The Content-Encoding header is set to "deflate" this may mean that the server is vulnerable to the BREACH attack. + Web Server returns a valid response with junk HTTP methods, this may cause false positives. + Server banner has changed from 'CherryPy/18.4.0' to '::' which may suggest a WAF, load balancer or proxy is in place + 4927 requests: 0 error(s) and 7 item(s) reported on remote host + End Time: 2021-02-12 11:07:24 (GMT0) (39 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
#4 Updated by Avan Thakkar 14 days ago
Ernesto Puerta wrote:
More funny headers ongoing. I run nikto through dashboard and got:
[...]
Setting X-frame option header doesn't make sense here as CSP header is already set with `frame-ancestors`. See here https://www.w3.org/TR/CSP2/#frame-ancestors-and-frame-options. And X-XSS-Protection header is not recommended https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection , as it can only be useful in case of old browser which don't have CSP header set. I will look for X-Content-Type-Options header and other headers which can be added.
#5 Updated by Avan Thakkar 3 days ago
- Status changed from In Progress to Pending Backport
#6 Updated by Avan Thakkar 3 days ago
- Backport set to nautilus, octopus, pacific
#7 Updated by Backport Bot 3 days ago
- Copied to Backport #49420: nautilus: mgr/dashboard: set XFrame options and Content Security Policy headers added
#8 Updated by Backport Bot 3 days ago
- Copied to Backport #49421: octopus: mgr/dashboard: set XFrame options and Content Security Policy headers added
#9 Updated by Backport Bot 3 days ago
- Copied to Backport #49422: pacific: mgr/dashboard: set XFrame options and Content Security Policy headers added