Cleanup #49243
Feature #47765: mgr/dashboard: security improvements
Cleanup #47341: mgr/dashboard: securing CherryPy
mgr/dashboard: set XFrame options and Content Security Policy headers
Status:
Pending Backport
Priority:
Normal
Assignee:
Category:
dashboard/backend
Target version:
% Done:
0%
Tags:
Backport:
nautilus, octopus, pacific
Reviewed:
Affected Versions:
Pull request ID:
Related issues
History
#1 Updated by Avan Thakkar 15 days ago
- Category set to dashboard/backend
#2 Updated by Avan Thakkar 15 days ago
- Pull request ID set to 39405
#3 Updated by Ernesto Puerta 14 days ago
More funny headers ongoing. I run nikto through dashboard and got:
# nikto -h https://localhost:11000
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LANG = "en_US.UTF-8"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
- ***** RFIURL is not defined in nikto.conf--no RFI tests will run *****
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 127.0.0.1
+ Target Hostname: localhost
+ Target Port: 11000
---------------------------------------------------------------------------
+ SSL Info: Subject: /O=IT/CN=ceph-dashboard
Ciphers: TLS_AES_256_GCM_SHA384
Issuer: /O=IT/CN=ceph-dashboard
+ Start Time: 2021-02-12 11:06:45 (GMT0)
---------------------------------------------------------------------------
+ Server: CherryPy/18.4.0
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Hostname 'localhost' does not match certificate's names: ceph-dashboard
+ The Content-Encoding header is set to "deflate" this may mean that the server is vulnerable to the BREACH attack.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ Server banner has changed from 'CherryPy/18.4.0' to '::' which may suggest a WAF, load balancer or proxy is in place
+ 4927 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2021-02-12 11:07:24 (GMT0) (39 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
#4 Updated by Avan Thakkar 14 days ago
Ernesto Puerta wrote:
More funny headers ongoing. I run nikto through dashboard and got:
[...]
Setting X-frame option header doesn't make sense here as CSP header is already set with `frame-ancestors`. See here https://www.w3.org/TR/CSP2/#frame-ancestors-and-frame-options. And X-XSS-Protection header is not recommended https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection , as it can only be useful in case of old browser which don't have CSP header set. I will look for X-Content-Type-Options header and other headers which can be added.
#5 Updated by Avan Thakkar 3 days ago
- Status changed from In Progress to Pending Backport
#6 Updated by Avan Thakkar 3 days ago
- Backport set to nautilus, octopus, pacific
#7 Updated by Backport Bot 3 days ago
- Copied to Backport #49420: nautilus: mgr/dashboard: set XFrame options and Content Security Policy headers added
#8 Updated by Backport Bot 3 days ago
- Copied to Backport #49421: octopus: mgr/dashboard: set XFrame options and Content Security Policy headers added
#9 Updated by Backport Bot 3 days ago
- Copied to Backport #49422: pacific: mgr/dashboard: set XFrame options and Content Security Policy headers added