See #880: added CSP policy in deployment files

9c5f623d · Eliot Berriot · 49978081 · 9c5f623d · 9c5f623d · 9c5f623d
Verified Commit 9c5f623d authored 5 years ago by Eliot Berriot
--- a/changes/changelog.d/880.enhancement
+++ b/changes/changelog.d/880.enhancement
+Hardened security thanks to CSP and additional HTTP headers (#880)
--- a/changes/notes.rst
+++ b/changes/notes.rst
@@ -43,3 +43,18 @@ Then, edit your ``/etc/systemd/system/funkwhale-server.service`` and replace the
 ``ExecStart=/srv/funkwhale/virtualenv/bin/gunicorn config.asgi:application -w ${FUNKWHALE_WEB_WORKERS} -k uvicorn.workers.UvicornWorker -b ${FUNKWHALE_API_IP}:${FUNKWHALE_API_PORT}``

 Then reload the configuration change with ``sudo systemctl daemon-reload`` and ``sudo systemctl restart funkwhale-server``.
+
+
+Content-Security-Policy [manual action suggested]
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+To improve the security and reduce the attack surface in case of a successfull exploit, we suggest
+you add the following Content-Security-Policy to the Nginx configuration of your proxy (same value
+for both Docker and non-Docker deployments)::
+
+    server {
+        # Security related headers
+        add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+    }
+
+Then reload nginx with ``systemctl reload nginx``.
--- a/deploy/docker.proxy.template
+++ b/deploy/docker.proxy.template
@@ -29,6 +29,9 @@ server {
    # HSTS
    add_header Strict-Transport-Security "max-age=31536000";

+    # Security related headers
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+
    # compression settings
    gzip on;
    gzip_comp_level    5;

--- a/deploy/nginx.template
+++ b/deploy/nginx.template
@@ -41,6 +41,9 @@ server {
    # HSTS
    add_header Strict-Transport-Security "max-age=31536000";

+    # Security related headers
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+
    root ${FUNKWHALE_FRONTEND_PATH};

    # compression settings
@@ -111,7 +114,7 @@ server {
        internal;
        alias   ${MEDIA_ROOT};
    }
-    
+
    # Comment the previous location and uncomment this one if you're storing
    # media files in a S3 bucket
    # location ~ /_protected/media/(.+) {

--- a/docker/nginx/conf.dev
+++ b/docker/nginx/conf.dev
@@ -69,6 +69,8 @@ http {
            text/x-component
            text/x-cross-domain-policy;

+        add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+
        location /front/ {
            # uncomment the following line and comment the proxy-pass one
            # to use the frontend build with "yarn build"