From ab3f974810237d23b046d37c46a1c43ca918ead4 Mon Sep 17 00:00:00 2001 From: Ylian Saint-Hilaire Date: Thu, 12 Sep 2019 15:12:40 -0700 Subject: [PATCH] Added more security in HTTP headers --- package.json | 2 +- sample-config.json | 6 +++++- views/default.handlebars | 4 ++-- webserver.js | 13 ++++++++++++- 4 files changed, 20 insertions(+), 5 deletions(-) diff --git a/package.json b/package.json index 29124ea3..4f578402 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "meshcentral", - "version": "0.4.0-l", + "version": "0.4.0-n", "keywords": [ "Remote Management", "Intel AMT", diff --git a/sample-config.json b/sample-config.json index 1af8cc8b..a8f3caf1 100644 --- a/sample-config.json +++ b/sample-config.json @@ -102,7 +102,11 @@ "meshcommander": "https://www.meshcommander.com/" }, "_yubikey": { "id": "0000", "secret": "xxxxxxxxxxxxxxxxxxxxx", "_proxy": "http://myproxy.domain.com:80" }, - "_httpheaders": { "Strict-Transport-Security": "max-age=360000" }, + "_httpheaders": { + "Strict-Transport-Security": "max-age=360000", + "x-frame-options": "SAMEORIGIN", + "Content-Security-Policy": "default-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; frame-src 'self'; media-src 'self'" + }, "_agentConfig": [ "webSocketMaskOverride=1" ], "_SessionRecording": { "_filepath": "C:\\temp", diff --git a/views/default.handlebars b/views/default.handlebars index 7bb4d071..1db5e390 100644 --- a/views/default.handlebars +++ b/views/default.handlebars @@ -1084,7 +1084,7 @@ //window.addEventListener("focus", ondocfocus, false); window.addEventListener("blur", ondocblur, false); window.onresize = function () { masterUpdate(512); } - setTimeout("masterUpdate(512)", 200); + setTimeout(function() { masterUpdate(512); }, 200); // Connect to the mesh server meshserver = MeshServerCreateControl(domainUrl, authCookie); @@ -2197,7 +2197,7 @@ putstore("_deviceView", Q('viewselect').value); putstore("_viewsize", Q('sizeselect').value); masterUpdate(4); - setTimeout("masterUpdate(512)", 200); + setTimeout(function () { masterUpdate(512); }, 200); } function ondockeypress(e) { diff --git a/webserver.js b/webserver.js index 3597ef00..34392142 100644 --- a/webserver.js +++ b/webserver.js @@ -3146,7 +3146,18 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { // If this domain has configured headers, use them. // Example headers: { 'Strict-Transport-Security': 'max-age=360000;includeSubDomains' }; // { 'Referrer-Policy': 'no-referrer', 'x-frame-options': 'SAMEORIGIN', 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'Content-Security-Policy': "default-src http: ws: data: 'self';script-src http: 'unsafe-inline';style-src http: 'unsafe-inline'" }; - if ((domain != null) && (domain.httpheaders != null) && (typeof domain.httpheaders == 'object')) { res.set(domain.httpheaders); } + if ((domain != null) && (domain.httpheaders != null) && (typeof domain.httpheaders == 'object')) { + res.set(domain.httpheaders); + } else { + // Use default security headers + res.set({ + "X-Frame-Options": "sameorigin", + "Referrer-Policy": "no-referrer", + "X-XSS-Protection": "1; mode=block", + "X-Content-Type-Options": "nosniff", + "Content-Security-Policy": "default-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; frame-src 'self'; media-src 'self'" + }); + } // Detect if this is a file sharing domain, if so, just share files. if ((domain != null) && (domain.share != null)) {