added Content-Security-Policy to security

server/src/uds/core/util/config.py

@@ -341,6 +341,10 @@ class GlobalConfig:
     SUPER_USER_ALLOW_WEBACCESS: Config.Value = Config.section(SECURITY_SECTION).value(
         'allowRootWebAccess', '1', type=Config.BOOLEAN_FIELD
     )
+    # Enhaced security
+    ENHANCED_SECURITY: Config.Value = Config.section(SECURITY_SECTION).value(
+        'Enable Enhanced Security', '1', type=Config.BOOLEAN_FIELD
+    )
     # Time an admi session can be idle before being "logged out"
     # ADMIN_IDLE_TIME: Config.Value = Config.section(SECURITY_SECTION).value('adminIdleTime', '14400', type=Config.NUMERIC_FIELD)  # Defaults to 4 hous
     # Time betwen checks of unused services by os managers

server/src/uds/core/util/middleware/security.py

@@ -33,6 +33,8 @@ logger = logging.getLogger(__name__)
 
 from django.http import HttpResponse
 
+from uds.core.util.config import GlobalConfig
+
 if typing.TYPE_CHECKING:
     from django.http import HttpRequest
 
@@ -69,9 +71,10 @@ class UDSSecurityMiddleware:
             return HttpResponse(content='Forbbiden', status=403)
 
         response = self.get_response(request)
-        # Legacy browser support for X-XSS-Protection
-        response.headers.setdefault('X-XSS-Protection', '1; mode=block')
-        # Add Content-Security-Policy, allowing same origin and inline scripts, images from any https source and data:
-        response.headers.setdefault('Content-Security-Policy', "default-src 'self' 'unsafe-inline'; img-src 'self' https: data:;")
-
+        
+        if GlobalConfig.ENHANCED_SECURITY.getBool():
+            # Legacy browser support for X-XSS-Protection
+            response.headers.setdefault('X-XSS-Protection', '1; mode=block')
+            # Add Content-Security-Policy, see https://www.owasp.org/index.php/Content_Security_Policy
+            response.headers.setdefault('Content-Security-Policy', "default-src 'self' 'unsafe-inline' 'unsafe-eval' uds: udss:; img-src 'self' https: data:;")
         return response