mirror of
https://github.com/Ylianst/MeshCentral.git
synced 2024-12-26 23:25:53 -05:00
Added more security in HTTP headers
This commit is contained in:
parent
433bff309e
commit
6dde0cce0f
@ -1,6 +1,6 @@
|
|||||||
{
|
{
|
||||||
"name": "meshcentral",
|
"name": "meshcentral",
|
||||||
"version": "0.4.0-l",
|
"version": "0.4.0-n",
|
||||||
"keywords": [
|
"keywords": [
|
||||||
"Remote Management",
|
"Remote Management",
|
||||||
"Intel AMT",
|
"Intel AMT",
|
||||||
|
@ -102,7 +102,11 @@
|
|||||||
"meshcommander": "https://www.meshcommander.com/"
|
"meshcommander": "https://www.meshcommander.com/"
|
||||||
},
|
},
|
||||||
"_yubikey": { "id": "0000", "secret": "xxxxxxxxxxxxxxxxxxxxx", "_proxy": "http://myproxy.domain.com:80" },
|
"_yubikey": { "id": "0000", "secret": "xxxxxxxxxxxxxxxxxxxxx", "_proxy": "http://myproxy.domain.com:80" },
|
||||||
"_httpheaders": { "Strict-Transport-Security": "max-age=360000" },
|
"_httpheaders": {
|
||||||
|
"Strict-Transport-Security": "max-age=360000",
|
||||||
|
"x-frame-options": "SAMEORIGIN",
|
||||||
|
"Content-Security-Policy": "default-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; frame-src 'self'; media-src 'self'"
|
||||||
|
},
|
||||||
"_agentConfig": [ "webSocketMaskOverride=1" ],
|
"_agentConfig": [ "webSocketMaskOverride=1" ],
|
||||||
"_SessionRecording": {
|
"_SessionRecording": {
|
||||||
"_filepath": "C:\\temp",
|
"_filepath": "C:\\temp",
|
||||||
|
@ -1084,7 +1084,7 @@
|
|||||||
//window.addEventListener("focus", ondocfocus, false);
|
//window.addEventListener("focus", ondocfocus, false);
|
||||||
window.addEventListener("blur", ondocblur, false);
|
window.addEventListener("blur", ondocblur, false);
|
||||||
window.onresize = function () { masterUpdate(512); }
|
window.onresize = function () { masterUpdate(512); }
|
||||||
setTimeout("masterUpdate(512)", 200);
|
setTimeout(function() { masterUpdate(512); }, 200);
|
||||||
|
|
||||||
// Connect to the mesh server
|
// Connect to the mesh server
|
||||||
meshserver = MeshServerCreateControl(domainUrl, authCookie);
|
meshserver = MeshServerCreateControl(domainUrl, authCookie);
|
||||||
@ -2197,7 +2197,7 @@
|
|||||||
putstore("_deviceView", Q('viewselect').value);
|
putstore("_deviceView", Q('viewselect').value);
|
||||||
putstore("_viewsize", Q('sizeselect').value);
|
putstore("_viewsize", Q('sizeselect').value);
|
||||||
masterUpdate(4);
|
masterUpdate(4);
|
||||||
setTimeout("masterUpdate(512)", 200);
|
setTimeout(function () { masterUpdate(512); }, 200);
|
||||||
}
|
}
|
||||||
|
|
||||||
function ondockeypress(e) {
|
function ondockeypress(e) {
|
||||||
|
13
webserver.js
13
webserver.js
@ -3146,7 +3146,18 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
|
|||||||
// If this domain has configured headers, use them.
|
// If this domain has configured headers, use them.
|
||||||
// Example headers: { 'Strict-Transport-Security': 'max-age=360000;includeSubDomains' };
|
// Example headers: { 'Strict-Transport-Security': 'max-age=360000;includeSubDomains' };
|
||||||
// { 'Referrer-Policy': 'no-referrer', 'x-frame-options': 'SAMEORIGIN', 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'Content-Security-Policy': "default-src http: ws: data: 'self';script-src http: 'unsafe-inline';style-src http: 'unsafe-inline'" };
|
// { 'Referrer-Policy': 'no-referrer', 'x-frame-options': 'SAMEORIGIN', 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'Content-Security-Policy': "default-src http: ws: data: 'self';script-src http: 'unsafe-inline';style-src http: 'unsafe-inline'" };
|
||||||
if ((domain != null) && (domain.httpheaders != null) && (typeof domain.httpheaders == 'object')) { res.set(domain.httpheaders); }
|
if ((domain != null) && (domain.httpheaders != null) && (typeof domain.httpheaders == 'object')) {
|
||||||
|
res.set(domain.httpheaders);
|
||||||
|
} else {
|
||||||
|
// Use default security headers
|
||||||
|
res.set({
|
||||||
|
"X-Frame-Options": "sameorigin",
|
||||||
|
"Referrer-Policy": "no-referrer",
|
||||||
|
"X-XSS-Protection": "1; mode=block",
|
||||||
|
"X-Content-Type-Options": "nosniff",
|
||||||
|
"Content-Security-Policy": "default-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; frame-src 'self'; media-src 'self'"
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
// Detect if this is a file sharing domain, if so, just share files.
|
// Detect if this is a file sharing domain, if so, just share files.
|
||||||
if ((domain != null) && (domain.share != null)) {
|
if ((domain != null) && (domain.share != null)) {
|
||||||
|
Loading…
Reference in New Issue
Block a user