Project

General

Profile

Feature #7805

Add several security related HTTP headers - security hardening.

Added by Jan Rusnacko over 4 years ago. Updated 11 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Security
Target version:
Difficulty:
Triaged:
Bugzilla link:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

Several HTTP headers that enhance security on client-side:

Content Security Policy
HTTP Strict Transport Security
X-XSS-Protection
X-Frame-Options
X-Content-Type-Options All of these enable browser protections on client side and make exploitation of common web flaws harder.

Adding these should be considered security hardening.


Related issues

Related to Foreman - Bug #7907: gravatars are now brokenClosed2014-10-11
Related to Foreman - Bug #7985: Can not access server consoleClosed2014-10-19
Related to Foreman - Bug #7018: SPICE libvirt websockets connections aren't encryptedNew2014-08-11

Associated revisions

Revision 5c50ca8e (diff)
Added by Jan Rusnacko over 4 years ago

fixes #7805 - Add several security related HTTP headers - security hardening.

This commit uses secure_headers gem and configures several HTTP
security related headers to be sent by server:
  • Content Security Policy
  • HTTP Strict Transport Security
  • X-XSS-Protection
  • X-Frame-Options
  • X-Content-Type-Options
    All of these enable browser protections on client side and make
    exploitation of common web flaws harder.

Revision 4378c39a (diff)
Added by Dominic Cleal over 4 years ago

refs #7805 - add secure_headers gem

Revision d37bbc32
Added by Lukas Zapletal over 4 years ago

Merge pull request #386 from domcleal/rpm/develop-7805-secure-headers

refs #7805 - add secure_headers gem

History

#1 Updated by Lukas Zapletal over 4 years ago

  • Category set to Security

Hello,

can you tell those all work with Foreman? I think we can't use all of them, because of noVNC, but some might be good indeed.

If you run your Foreman instance via Apache, then you can easily add them and report to us which of these have worked. Thanks!

#2 Updated by Daniel Lobato Garcia over 4 years ago

  • Pull request https://github.com/theforeman/foreman/pull/1779 added
  • Pull request deleted ()

#3 Updated by Dominic Cleal over 4 years ago

  • Status changed from New to Ready For Testing
  • Assignee set to Jan Rusnacko
  • Target version set to 1.7.2

#4 Updated by Anonymous over 4 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#5 Updated by Ohad Levy over 4 years ago

  • Related to Bug #7907: gravatars are now broken added

#6 Updated by Daniel Lobato Garcia over 4 years ago

  • Legacy Backlogs Release (now unused) set to 21

#7 Updated by Dominic Cleal over 4 years ago

  • Related to Bug #7985: Can not access server console added

#8 Updated by Dominic Cleal over 4 years ago

  • Related to Bug #7018: SPICE libvirt websockets connections aren't encrypted added

Also available in: Atom PDF