forked from shaba/openuds
added Content-Security-Policy to security
This commit is contained in:
parent
c1f6ed376b
commit
47c6ca42f1
@ -341,6 +341,10 @@ class GlobalConfig:
|
|||||||
SUPER_USER_ALLOW_WEBACCESS: Config.Value = Config.section(SECURITY_SECTION).value(
|
SUPER_USER_ALLOW_WEBACCESS: Config.Value = Config.section(SECURITY_SECTION).value(
|
||||||
'allowRootWebAccess', '1', type=Config.BOOLEAN_FIELD
|
'allowRootWebAccess', '1', type=Config.BOOLEAN_FIELD
|
||||||
)
|
)
|
||||||
|
# Enhaced security
|
||||||
|
ENHANCED_SECURITY: Config.Value = Config.section(SECURITY_SECTION).value(
|
||||||
|
'Enable Enhanced Security', '1', type=Config.BOOLEAN_FIELD
|
||||||
|
)
|
||||||
# Time an admi session can be idle before being "logged out"
|
# Time an admi session can be idle before being "logged out"
|
||||||
# ADMIN_IDLE_TIME: Config.Value = Config.section(SECURITY_SECTION).value('adminIdleTime', '14400', type=Config.NUMERIC_FIELD) # Defaults to 4 hous
|
# ADMIN_IDLE_TIME: Config.Value = Config.section(SECURITY_SECTION).value('adminIdleTime', '14400', type=Config.NUMERIC_FIELD) # Defaults to 4 hous
|
||||||
# Time betwen checks of unused services by os managers
|
# Time betwen checks of unused services by os managers
|
||||||
|
@ -33,6 +33,8 @@ logger = logging.getLogger(__name__)
|
|||||||
|
|
||||||
from django.http import HttpResponse
|
from django.http import HttpResponse
|
||||||
|
|
||||||
|
from uds.core.util.config import GlobalConfig
|
||||||
|
|
||||||
if typing.TYPE_CHECKING:
|
if typing.TYPE_CHECKING:
|
||||||
from django.http import HttpRequest
|
from django.http import HttpRequest
|
||||||
|
|
||||||
@ -69,9 +71,10 @@ class UDSSecurityMiddleware:
|
|||||||
return HttpResponse(content='Forbbiden', status=403)
|
return HttpResponse(content='Forbbiden', status=403)
|
||||||
|
|
||||||
response = self.get_response(request)
|
response = self.get_response(request)
|
||||||
|
|
||||||
|
if GlobalConfig.ENHANCED_SECURITY.getBool():
|
||||||
# Legacy browser support for X-XSS-Protection
|
# Legacy browser support for X-XSS-Protection
|
||||||
response.headers.setdefault('X-XSS-Protection', '1; mode=block')
|
response.headers.setdefault('X-XSS-Protection', '1; mode=block')
|
||||||
# Add Content-Security-Policy, allowing same origin and inline scripts, images from any https source and data:
|
# Add Content-Security-Policy, see https://www.owasp.org/index.php/Content_Security_Policy
|
||||||
response.headers.setdefault('Content-Security-Policy', "default-src 'self' 'unsafe-inline'; img-src 'self' https: data:;")
|
response.headers.setdefault('Content-Security-Policy', "default-src 'self' 'unsafe-inline' 'unsafe-eval' uds: udss:; img-src 'self' https: data:;")
|
||||||
|
|
||||||
return response
|
return response
|
||||||
|
Loading…
x
Reference in New Issue
Block a user