From 9c5f623d03fba7fe924402725bc4811b03712bb3 Mon Sep 17 00:00:00 2001 From: Eliot Berriot Date: Wed, 10 Jul 2019 15:11:29 +0200 Subject: [PATCH] See #880: added CSP policy in deployment files --- changes/changelog.d/880.enhancement | 1 + changes/notes.rst | 15 +++++++++++++++ deploy/docker.proxy.template | 3 +++ deploy/nginx.template | 5 ++++- docker/nginx/conf.dev | 2 ++ 5 files changed, 25 insertions(+), 1 deletion(-) create mode 100644 changes/changelog.d/880.enhancement diff --git a/changes/changelog.d/880.enhancement b/changes/changelog.d/880.enhancement new file mode 100644 index 000000000..58d308afa --- /dev/null +++ b/changes/changelog.d/880.enhancement @@ -0,0 +1 @@ +Hardened security thanks to CSP and additional HTTP headers (#880) diff --git a/changes/notes.rst b/changes/notes.rst index b52fb7897..40a1d7bbb 100644 --- a/changes/notes.rst +++ b/changes/notes.rst @@ -43,3 +43,18 @@ Then, edit your ``/etc/systemd/system/funkwhale-server.service`` and replace the ``ExecStart=/srv/funkwhale/virtualenv/bin/gunicorn config.asgi:application -w ${FUNKWHALE_WEB_WORKERS} -k uvicorn.workers.UvicornWorker -b ${FUNKWHALE_API_IP}:${FUNKWHALE_API_PORT}`` Then reload the configuration change with ``sudo systemctl daemon-reload`` and ``sudo systemctl restart funkwhale-server``. + + +Content-Security-Policy [manual action suggested] +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +To improve the security and reduce the attack surface in case of a successfull exploit, we suggest +you add the following Content-Security-Policy to the Nginx configuration of your proxy (same value +for both Docker and non-Docker deployments):: + + server { + # Security related headers + add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"; + } + +Then reload nginx with ``systemctl reload nginx``. diff --git a/deploy/docker.proxy.template b/deploy/docker.proxy.template index 0fbed2f73..6b0a0405a 100644 --- a/deploy/docker.proxy.template +++ b/deploy/docker.proxy.template @@ -29,6 +29,9 @@ server { # HSTS add_header Strict-Transport-Security "max-age=31536000"; + # Security related headers + add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"; + # compression settings gzip on; gzip_comp_level 5; diff --git a/deploy/nginx.template b/deploy/nginx.template index 78b8ff3d6..b38a7e67d 100644 --- a/deploy/nginx.template +++ b/deploy/nginx.template @@ -41,6 +41,9 @@ server { # HSTS add_header Strict-Transport-Security "max-age=31536000"; + # Security related headers + add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"; + root ${FUNKWHALE_FRONTEND_PATH}; # compression settings @@ -111,7 +114,7 @@ server { internal; alias ${MEDIA_ROOT}; } - + # Comment the previous location and uncomment this one if you're storing # media files in a S3 bucket # location ~ /_protected/media/(.+) { diff --git a/docker/nginx/conf.dev b/docker/nginx/conf.dev index 0ab9ec160..8b35430a2 100644 --- a/docker/nginx/conf.dev +++ b/docker/nginx/conf.dev @@ -69,6 +69,8 @@ http { text/x-component text/x-cross-domain-policy; + add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"; + location /front/ { # uncomment the following line and comment the proxy-pass one # to use the frontend build with "yarn build"