diff --git a/changes/notes.rst b/changes/notes.rst index 40a1d7bbb..ef493373d 100644 --- a/changes/notes.rst +++ b/changes/notes.rst @@ -45,16 +45,56 @@ Then, edit your ``/etc/systemd/system/funkwhale-server.service`` and replace the Then reload the configuration change with ``sudo systemctl daemon-reload`` and ``sudo systemctl restart funkwhale-server``. -Content-Security-Policy [manual action suggested] -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Content-Security-Policy and additional security headers [manual action suggested] +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ To improve the security and reduce the attack surface in case of a successfull exploit, we suggest -you add the following Content-Security-Policy to the Nginx configuration of your proxy (same value -for both Docker and non-Docker deployments):: +you add the following Content-Security-Policy to your nginx configuration. + +**On non-docker setups**, in ``/etc/nginx/sites-available/funkwhale.conf``:: server { - # Security related headers + add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"; + add_header Referrer-Policy "strict-origin-when-cross-origin"; + + location /front/ { + add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"; + add_header Referrer-Policy "strict-origin-when-cross-origin"; + add_header X-Frame-Options "SAMEORIGIN"; + # … existing content here + } + + # Also create a new location for the embeds to ensure external iframes work + # Simply copy-paste the /front/ location, but replace the following lines: + location /front/embed.html { + add_header X-Frame-Options "ALLOW"; + alias ${FUNKWHALE_FRONTEND_PATH}/embed.html; + } } Then reload nginx with ``systemctl reload nginx``. + +**On docker setups**, in ``/srv/funkwhalenginx/funkwhale.template``:: + + server { + + add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"; + add_header Referrer-Policy "strict-origin-when-cross-origin"; + + location /front/ { + add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"; + add_header Referrer-Policy "strict-origin-when-cross-origin"; + add_header X-Frame-Options "SAMEORIGIN"; + # … existing content here + } + + # Also create a new location for the embeds to ensure external iframes work + # Simply copy-paste the /front/ location, but replace the following lines: + location /front/embed.html { + add_header X-Frame-Options "ALLOW"; + alias /frontent/embed.html; + } + } + +Then reload nginx with ``docker-compose restart nginx``. diff --git a/deploy/docker.nginx.template b/deploy/docker.nginx.template index 431975629..a69762c19 100644 --- a/deploy/docker.nginx.template +++ b/deploy/docker.nginx.template @@ -23,6 +23,10 @@ server { root /frontend; + add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"; + add_header Referrer-Policy "strict-origin-when-cross-origin"; + + location / { include /etc/nginx/funkwhale_proxy.conf; # this is needed if you have file import via upload enabled @@ -31,12 +35,27 @@ server { } location /front/ { + add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"; + add_header Referrer-Policy "strict-origin-when-cross-origin"; + + add_header X-Frame-Options "ALLOW"; alias /frontend/; expires 30d; add_header Pragma public; add_header Cache-Control "public, must-revalidate, proxy-revalidate"; } + location /front/embed.html { + add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"; + add_header Referrer-Policy "strict-origin-when-cross-origin"; + + add_header X-Frame-Options "ALLOW"; + alias /frontend/embed.html; + expires 30d; + add_header Pragma public; + add_header Cache-Control "public, must-revalidate, proxy-revalidate"; + } + location /federation/ { include /etc/nginx/funkwhale_proxy.conf; proxy_pass http://funkwhale-api/federation/; diff --git a/deploy/nginx.template b/deploy/nginx.template index b38a7e67d..89d53ce2b 100644 --- a/deploy/nginx.template +++ b/deploy/nginx.template @@ -41,8 +41,8 @@ server { # HSTS add_header Strict-Transport-Security "max-age=31536000"; - # Security related headers add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"; + add_header Referrer-Policy "strict-origin-when-cross-origin"; root ${FUNKWHALE_FRONTEND_PATH}; @@ -81,11 +81,25 @@ server { } location /front/ { + add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"; + add_header Referrer-Policy "strict-origin-when-cross-origin"; + + add_header X-Frame-Options "SAMEORIGIN"; alias ${FUNKWHALE_FRONTEND_PATH}/; expires 30d; add_header Pragma public; add_header Cache-Control "public, must-revalidate, proxy-revalidate"; } + location /front/embed.html { + add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"; + add_header Referrer-Policy "strict-origin-when-cross-origin"; + + add_header X-Frame-Options "ALLOW"; + alias ${FUNKWHALE_FRONTEND_PATH}/embed.html; + expires 30d; + add_header Pragma public; + add_header Cache-Control "public, must-revalidate, proxy-revalidate"; + } location /federation/ { include /etc/nginx/funkwhale_proxy.conf; diff --git a/docker/nginx/conf.dev b/docker/nginx/conf.dev index 8b35430a2..976c2e435 100644 --- a/docker/nginx/conf.dev +++ b/docker/nginx/conf.dev @@ -70,13 +70,23 @@ http { text/x-cross-domain-policy; add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"; + add_header Referrer-Policy "strict-origin-when-cross-origin"; location /front/ { + add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"; + add_header Referrer-Policy "strict-origin-when-cross-origin"; + add_header X-Frame-Options "SAMEORIGIN"; # uncomment the following line and comment the proxy-pass one # to use the frontend build with "yarn build" #alias /frontend/dist/; proxy_pass http://funkwhale-front/front/; } + location /front/embed.html { + add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"; + add_header Referrer-Policy "strict-origin-when-cross-origin"; + add_header X-Frame-Options "ALLOW"; + proxy_pass http://funkwhale-front/front/embed.html; + } location /front-server/ { proxy_pass http://funkwhale-front/; }