diff --git a/changes/notes.rst b/changes/notes.rst
index 40a1d7bbb517186209f1d8a0a72fa1e3b025eb60..ef493373d406586699d2dd91243833e081a15f56 100644
--- a/changes/notes.rst
+++ b/changes/notes.rst
@@ -45,16 +45,56 @@ Then, edit your ``/etc/systemd/system/funkwhale-server.service`` and replace the
Then reload the configuration change with ``sudo systemctl daemon-reload`` and ``sudo systemctl restart funkwhale-server``.
-Content-Security-Policy [manual action suggested]
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+Content-Security-Policy and additional security headers [manual action suggested]
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
To improve the security and reduce the attack surface in case of a successfull exploit, we suggest
-you add the following Content-Security-Policy to the Nginx configuration of your proxy (same value
-for both Docker and non-Docker deployments)::
+you add the following Content-Security-Policy to your nginx configuration.
+
+**On non-docker setups**, in ``/etc/nginx/sites-available/funkwhale.conf``::
server {
- # Security related headers
+
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+ add_header Referrer-Policy "strict-origin-when-cross-origin";
+
+ location /front/ {
+ add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+ add_header Referrer-Policy "strict-origin-when-cross-origin";
+ add_header X-Frame-Options "SAMEORIGIN";
+ # … existing content here
+ }
+
+ # Also create a new location for the embeds to ensure external iframes work
+ # Simply copy-paste the /front/ location, but replace the following lines:
+ location /front/embed.html {
+ add_header X-Frame-Options "ALLOW";
+ alias ${FUNKWHALE_FRONTEND_PATH}/embed.html;
+ }
}
Then reload nginx with ``systemctl reload nginx``.
+
+**On docker setups**, in ``/srv/funkwhalenginx/funkwhale.template``::
+
+ server {
+
+ add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+ add_header Referrer-Policy "strict-origin-when-cross-origin";
+
+ location /front/ {
+ add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+ add_header Referrer-Policy "strict-origin-when-cross-origin";
+ add_header X-Frame-Options "SAMEORIGIN";
+ # … existing content here
+ }
+
+ # Also create a new location for the embeds to ensure external iframes work
+ # Simply copy-paste the /front/ location, but replace the following lines:
+ location /front/embed.html {
+ add_header X-Frame-Options "ALLOW";
+ alias /frontent/embed.html;
+ }
+ }
+
+Then reload nginx with ``docker-compose restart nginx``.
diff --git a/deploy/docker.nginx.template b/deploy/docker.nginx.template
index 431975629741f4546e18f061987d6fc7ec31b699..a69762c19f1989d8d7a50c6dadce1dbe8499b3c4 100644
--- a/deploy/docker.nginx.template
+++ b/deploy/docker.nginx.template
@@ -23,6 +23,10 @@ server {
root /frontend;
+ add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+ add_header Referrer-Policy "strict-origin-when-cross-origin";
+
+
location / {
include /etc/nginx/funkwhale_proxy.conf;
# this is needed if you have file import via upload enabled
@@ -31,12 +35,27 @@ server {
}
location /front/ {
+ add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+ add_header Referrer-Policy "strict-origin-when-cross-origin";
+
+ add_header X-Frame-Options "ALLOW";
alias /frontend/;
expires 30d;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
+ location /front/embed.html {
+ add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+ add_header Referrer-Policy "strict-origin-when-cross-origin";
+
+ add_header X-Frame-Options "ALLOW";
+ alias /frontend/embed.html;
+ expires 30d;
+ add_header Pragma public;
+ add_header Cache-Control "public, must-revalidate, proxy-revalidate";
+ }
+
location /federation/ {
include /etc/nginx/funkwhale_proxy.conf;
proxy_pass http://funkwhale-api/federation/;
diff --git a/deploy/nginx.template b/deploy/nginx.template
index b38a7e67dc1a0fa2adc0f4ecf45c7563e14e4e14..89d53ce2b18d103e7c53b0287db5c1404914b1e2 100644
--- a/deploy/nginx.template
+++ b/deploy/nginx.template
@@ -41,8 +41,8 @@ server {
# HSTS
add_header Strict-Transport-Security "max-age=31536000";
- # Security related headers
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+ add_header Referrer-Policy "strict-origin-when-cross-origin";
root ${FUNKWHALE_FRONTEND_PATH};
@@ -81,11 +81,25 @@ server {
}
location /front/ {
+ add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+ add_header Referrer-Policy "strict-origin-when-cross-origin";
+
+ add_header X-Frame-Options "SAMEORIGIN";
alias ${FUNKWHALE_FRONTEND_PATH}/;
expires 30d;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
+ location /front/embed.html {
+ add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+ add_header Referrer-Policy "strict-origin-when-cross-origin";
+
+ add_header X-Frame-Options "ALLOW";
+ alias ${FUNKWHALE_FRONTEND_PATH}/embed.html;
+ expires 30d;
+ add_header Pragma public;
+ add_header Cache-Control "public, must-revalidate, proxy-revalidate";
+ }
location /federation/ {
include /etc/nginx/funkwhale_proxy.conf;
diff --git a/docker/nginx/conf.dev b/docker/nginx/conf.dev
index 8b35430a2bbc7ab43d0c116025ad6103f0a1b821..976c2e4357b5a9cdc5ef389f7742d8ef7ea1114c 100644
--- a/docker/nginx/conf.dev
+++ b/docker/nginx/conf.dev
@@ -70,13 +70,23 @@ http {
text/x-cross-domain-policy;
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+ add_header Referrer-Policy "strict-origin-when-cross-origin";
location /front/ {
+ add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+ add_header Referrer-Policy "strict-origin-when-cross-origin";
+ add_header X-Frame-Options "SAMEORIGIN";
# uncomment the following line and comment the proxy-pass one
# to use the frontend build with "yarn build"
#alias /frontend/dist/;
proxy_pass http://funkwhale-front/front/;
}
+ location /front/embed.html {
+ add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+ add_header Referrer-Policy "strict-origin-when-cross-origin";
+ add_header X-Frame-Options "ALLOW";
+ proxy_pass http://funkwhale-front/front/embed.html;
+ }
location /front-server/ {
proxy_pass http://funkwhale-front/;
}