mirror of
https://github.com/Ylianst/MeshCentral.git
synced 2024-12-25 22:55:52 -05:00
Added more security in HTTP headers
This commit is contained in:
parent
433bff309e
commit
6dde0cce0f
@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "meshcentral",
|
||||
"version": "0.4.0-l",
|
||||
"version": "0.4.0-n",
|
||||
"keywords": [
|
||||
"Remote Management",
|
||||
"Intel AMT",
|
||||
|
@ -102,7 +102,11 @@
|
||||
"meshcommander": "https://www.meshcommander.com/"
|
||||
},
|
||||
"_yubikey": { "id": "0000", "secret": "xxxxxxxxxxxxxxxxxxxxx", "_proxy": "http://myproxy.domain.com:80" },
|
||||
"_httpheaders": { "Strict-Transport-Security": "max-age=360000" },
|
||||
"_httpheaders": {
|
||||
"Strict-Transport-Security": "max-age=360000",
|
||||
"x-frame-options": "SAMEORIGIN",
|
||||
"Content-Security-Policy": "default-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; frame-src 'self'; media-src 'self'"
|
||||
},
|
||||
"_agentConfig": [ "webSocketMaskOverride=1" ],
|
||||
"_SessionRecording": {
|
||||
"_filepath": "C:\\temp",
|
||||
|
@ -1084,7 +1084,7 @@
|
||||
//window.addEventListener("focus", ondocfocus, false);
|
||||
window.addEventListener("blur", ondocblur, false);
|
||||
window.onresize = function () { masterUpdate(512); }
|
||||
setTimeout("masterUpdate(512)", 200);
|
||||
setTimeout(function() { masterUpdate(512); }, 200);
|
||||
|
||||
// Connect to the mesh server
|
||||
meshserver = MeshServerCreateControl(domainUrl, authCookie);
|
||||
@ -2197,7 +2197,7 @@
|
||||
putstore("_deviceView", Q('viewselect').value);
|
||||
putstore("_viewsize", Q('sizeselect').value);
|
||||
masterUpdate(4);
|
||||
setTimeout("masterUpdate(512)", 200);
|
||||
setTimeout(function () { masterUpdate(512); }, 200);
|
||||
}
|
||||
|
||||
function ondockeypress(e) {
|
||||
|
13
webserver.js
13
webserver.js
@ -3146,7 +3146,18 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
|
||||
// If this domain has configured headers, use them.
|
||||
// Example headers: { 'Strict-Transport-Security': 'max-age=360000;includeSubDomains' };
|
||||
// { 'Referrer-Policy': 'no-referrer', 'x-frame-options': 'SAMEORIGIN', 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'Content-Security-Policy': "default-src http: ws: data: 'self';script-src http: 'unsafe-inline';style-src http: 'unsafe-inline'" };
|
||||
if ((domain != null) && (domain.httpheaders != null) && (typeof domain.httpheaders == 'object')) { res.set(domain.httpheaders); }
|
||||
if ((domain != null) && (domain.httpheaders != null) && (typeof domain.httpheaders == 'object')) {
|
||||
res.set(domain.httpheaders);
|
||||
} else {
|
||||
// Use default security headers
|
||||
res.set({
|
||||
"X-Frame-Options": "sameorigin",
|
||||
"Referrer-Policy": "no-referrer",
|
||||
"X-XSS-Protection": "1; mode=block",
|
||||
"X-Content-Type-Options": "nosniff",
|
||||
"Content-Security-Policy": "default-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; frame-src 'self'; media-src 'self'"
|
||||
});
|
||||
}
|
||||
|
||||
// Detect if this is a file sharing domain, if so, just share files.
|
||||
if ((domain != null) && (domain.share != null)) {
|
||||
|
Loading…
Reference in New Issue
Block a user