From 9c5f623d03fba7fe924402725bc4811b03712bb3 Mon Sep 17 00:00:00 2001
From: Eliot Berriot <contact@eliotberriot.com>
Date: Wed, 10 Jul 2019 15:11:29 +0200
Subject: [PATCH] See #880: added CSP policy in deployment files
---
changes/changelog.d/880.enhancement | 1 +
changes/notes.rst | 15 +++++++++++++++
deploy/docker.proxy.template | 3 +++
deploy/nginx.template | 5 ++++-
docker/nginx/conf.dev | 2 ++
5 files changed, 25 insertions(+), 1 deletion(-)
create mode 100644 changes/changelog.d/880.enhancement
diff --git a/changes/changelog.d/880.enhancement b/changes/changelog.d/880.enhancement
new file mode 100644
index 00000000..58d308af
--- /dev/null
+++ b/changes/changelog.d/880.enhancement
@@ -0,0 +1 @@
+Hardened security thanks to CSP and additional HTTP headers (#880)
diff --git a/changes/notes.rst b/changes/notes.rst
index b52fb789..40a1d7bb 100644
--- a/changes/notes.rst
+++ b/changes/notes.rst
@@ -43,3 +43,18 @@ Then, edit your ``/etc/systemd/system/funkwhale-server.service`` and replace the
``ExecStart=/srv/funkwhale/virtualenv/bin/gunicorn config.asgi:application -w ${FUNKWHALE_WEB_WORKERS} -k uvicorn.workers.UvicornWorker -b ${FUNKWHALE_API_IP}:${FUNKWHALE_API_PORT}``
Then reload the configuration change with ``sudo systemctl daemon-reload`` and ``sudo systemctl restart funkwhale-server``.
+
+
+Content-Security-Policy [manual action suggested]
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+To improve the security and reduce the attack surface in case of a successfull exploit, we suggest
+you add the following Content-Security-Policy to the Nginx configuration of your proxy (same value
+for both Docker and non-Docker deployments)::
+
+ server {
+ # Security related headers
+ add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+ }
+
+Then reload nginx with ``systemctl reload nginx``.
diff --git a/deploy/docker.proxy.template b/deploy/docker.proxy.template
index 0fbed2f7..6b0a0405 100644
--- a/deploy/docker.proxy.template
+++ b/deploy/docker.proxy.template
@@ -29,6 +29,9 @@ server {
# HSTS
add_header Strict-Transport-Security "max-age=31536000";
+ # Security related headers
+ add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+
# compression settings
gzip on;
gzip_comp_level 5;
diff --git a/deploy/nginx.template b/deploy/nginx.template
index 78b8ff3d..b38a7e67 100644
--- a/deploy/nginx.template
+++ b/deploy/nginx.template
@@ -41,6 +41,9 @@ server {
# HSTS
add_header Strict-Transport-Security "max-age=31536000";
+ # Security related headers
+ add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+
root ${FUNKWHALE_FRONTEND_PATH};
# compression settings
@@ -111,7 +114,7 @@ server {
internal;
alias ${MEDIA_ROOT};
}
-
+
# Comment the previous location and uncomment this one if you're storing
# media files in a S3 bucket
# location ~ /_protected/media/(.+) {
diff --git a/docker/nginx/conf.dev b/docker/nginx/conf.dev
index 0ab9ec16..8b35430a 100644
--- a/docker/nginx/conf.dev
+++ b/docker/nginx/conf.dev
@@ -69,6 +69,8 @@ http {
text/x-component
text/x-cross-domain-policy;
+ add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+
location /front/ {
# uncomment the following line and comment the proxy-pass one
# to use the frontend build with "yarn build"
--
GitLab