Added more security in HTTP headers

This commit is contained in:
Ylian Saint-Hilaire 2019-09-12 15:12:40 -07:00
parent 9b80916a7e
commit ab3f974810
4 changed files with 20 additions and 5 deletions

View File

@ -1,6 +1,6 @@
{
"name": "meshcentral",
"version": "0.4.0-l",
"version": "0.4.0-n",
"keywords": [
"Remote Management",
"Intel AMT",

View File

@ -102,7 +102,11 @@
"meshcommander": "https://www.meshcommander.com/"
},
"_yubikey": { "id": "0000", "secret": "xxxxxxxxxxxxxxxxxxxxx", "_proxy": "http://myproxy.domain.com:80" },
"_httpheaders": { "Strict-Transport-Security": "max-age=360000" },
"_httpheaders": {
"Strict-Transport-Security": "max-age=360000",
"x-frame-options": "SAMEORIGIN",
"Content-Security-Policy": "default-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; frame-src 'self'; media-src 'self'"
},
"_agentConfig": [ "webSocketMaskOverride=1" ],
"_SessionRecording": {
"_filepath": "C:\\temp",

View File

@ -1084,7 +1084,7 @@
//window.addEventListener("focus", ondocfocus, false);
window.addEventListener("blur", ondocblur, false);
window.onresize = function () { masterUpdate(512); }
setTimeout("masterUpdate(512)", 200);
setTimeout(function() { masterUpdate(512); }, 200);
// Connect to the mesh server
meshserver = MeshServerCreateControl(domainUrl, authCookie);
@ -2197,7 +2197,7 @@
putstore("_deviceView", Q('viewselect').value);
putstore("_viewsize", Q('sizeselect').value);
masterUpdate(4);
setTimeout("masterUpdate(512)", 200);
setTimeout(function () { masterUpdate(512); }, 200);
}
function ondockeypress(e) {

View File

@ -3146,7 +3146,18 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
// If this domain has configured headers, use them.
// Example headers: { 'Strict-Transport-Security': 'max-age=360000;includeSubDomains' };
// { 'Referrer-Policy': 'no-referrer', 'x-frame-options': 'SAMEORIGIN', 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'Content-Security-Policy': "default-src http: ws: data: 'self';script-src http: 'unsafe-inline';style-src http: 'unsafe-inline'" };
if ((domain != null) && (domain.httpheaders != null) && (typeof domain.httpheaders == 'object')) { res.set(domain.httpheaders); }
if ((domain != null) && (domain.httpheaders != null) && (typeof domain.httpheaders == 'object')) {
res.set(domain.httpheaders);
} else {
// Use default security headers
res.set({
"X-Frame-Options": "sameorigin",
"Referrer-Policy": "no-referrer",
"X-XSS-Protection": "1; mode=block",
"X-Content-Type-Options": "nosniff",
"Content-Security-Policy": "default-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; frame-src 'self'; media-src 'self'"
});
}
// Detect if this is a file sharing domain, if so, just share files.
if ((domain != null) && (domain.share != null)) {