Actions
Cleanup #49243
closedFeature #47765: mgr/dashboard: security improvements
Cleanup #47341: mgr/dashboard: securing CherryPy
mgr/dashboard: set XFrame options and Content Security Policy headers
Status:
Resolved
Priority:
Normal
Assignee:
Category:
General - Back-end
Target version:
% Done:
0%
Tags:
Backport:
nautilus, octopus, pacific
Reviewed:
Affected Versions:
Pull request ID:
Updated by Ernesto Puerta about 3 years ago
More funny headers ongoing. I run nikto through dashboard and got:
# nikto -h https://localhost:11000 perl: warning: Setting locale failed. perl: warning: Please check that your locale settings: LANGUAGE = (unset), LC_ALL = (unset), LANG = "en_US.UTF-8" are supported and installed on your system. perl: warning: Falling back to the standard locale ("C"). - ***** RFIURL is not defined in nikto.conf--no RFI tests will run ***** - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 127.0.0.1 + Target Hostname: localhost + Target Port: 11000 --------------------------------------------------------------------------- + SSL Info: Subject: /O=IT/CN=ceph-dashboard Ciphers: TLS_AES_256_GCM_SHA384 Issuer: /O=IT/CN=ceph-dashboard + Start Time: 2021-02-12 11:06:45 (GMT0) --------------------------------------------------------------------------- + Server: CherryPy/18.4.0 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The site uses SSL and the Strict-Transport-Security HTTP header is not defined. + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + Hostname 'localhost' does not match certificate's names: ceph-dashboard + The Content-Encoding header is set to "deflate" this may mean that the server is vulnerable to the BREACH attack. + Web Server returns a valid response with junk HTTP methods, this may cause false positives. + Server banner has changed from 'CherryPy/18.4.0' to '::' which may suggest a WAF, load balancer or proxy is in place + 4927 requests: 0 error(s) and 7 item(s) reported on remote host + End Time: 2021-02-12 11:07:24 (GMT0) (39 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
Updated by Avan Thakkar about 3 years ago
Ernesto Puerta wrote:
More funny headers ongoing. I run nikto through dashboard and got:
[...]
Setting X-frame option header doesn't make sense here as CSP header is already set with `frame-ancestors`. See here https://www.w3.org/TR/CSP2/#frame-ancestors-and-frame-options. And X-XSS-Protection header is not recommended https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection , as it can only be useful in case of old browser which don't have CSP header set. I will look for X-Content-Type-Options header and other headers which can be added.
Updated by Avan Thakkar about 3 years ago
- Status changed from In Progress to Pending Backport
Updated by Avan Thakkar about 3 years ago
- Backport set to nautilus, octopus, pacific
Updated by Backport Bot about 3 years ago
- Copied to Backport #49420: nautilus: mgr/dashboard: set XFrame options and Content Security Policy headers added
Updated by Backport Bot about 3 years ago
- Copied to Backport #49421: octopus: mgr/dashboard: set XFrame options and Content Security Policy headers added
Updated by Backport Bot about 3 years ago
- Copied to Backport #49422: pacific: mgr/dashboard: set XFrame options and Content Security Policy headers added
Updated by Ernesto Puerta about 3 years ago
- Status changed from Pending Backport to Resolved
Actions