Added more security in HTTP headers

2019-09-12 15:12:40 -07:00 · 2019-09-12 15:12:40 -07:00 · ab3f974810
parent 9b80916a7e
commit ab3f974810
4 changed files with 20 additions and 5 deletions
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
  "name": "meshcentral",
-  "version": "0.4.0-l",
+  "version": "0.4.0-n",
  "keywords": [
    "Remote Management",
    "Intel AMT",
--- a/sample-config.json
+++ b/sample-config.json
@ -102,7 +102,11 @@
        "meshcommander": "https://www.meshcommander.com/"
      },
      "_yubikey": { "id": "0000", "secret": "xxxxxxxxxxxxxxxxxxxxx", "_proxy": "http://myproxy.domain.com:80" },
-      "_httpheaders": { "Strict-Transport-Security": "max-age=360000" },
+      "_httpheaders": {
+        "Strict-Transport-Security": "max-age=360000",
+        "x-frame-options": "SAMEORIGIN",
+        "Content-Security-Policy": "default-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; frame-src 'self'; media-src 'self'"
+      },
      "_agentConfig": [ "webSocketMaskOverride=1" ],
      "_SessionRecording": {
        "_filepath": "C:\\temp",
--- a/views/default.handlebars
+++ b/views/default.handlebars
@ -1084,7 +1084,7 @@
            //window.addEventListener("focus", ondocfocus, false);
            window.addEventListener("blur", ondocblur, false);
            window.onresize = function () { masterUpdate(512); }
-            setTimeout("masterUpdate(512)", 200);
+            setTimeout(function() { masterUpdate(512); }, 200);

            // Connect to the mesh server
            meshserver = MeshServerCreateControl(domainUrl, authCookie);
@ -2197,7 +2197,7 @@
            putstore("_deviceView", Q('viewselect').value);
            putstore("_viewsize", Q('sizeselect').value);
            masterUpdate(4);
-            setTimeout("masterUpdate(512)", 200);
+            setTimeout(function () { masterUpdate(512); }, 200);
        }

        function ondockeypress(e) {
--- a/webserver.js
+++ b/webserver.js
@ -3146,7 +3146,18 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
            // If this domain has configured headers, use them.
            // Example headers: { 'Strict-Transport-Security': 'max-age=360000;includeSubDomains' };
            //                  { 'Referrer-Policy': 'no-referrer', 'x-frame-options': 'SAMEORIGIN', 'X-XSS-Protection': '1; mode=block', 'X-Content-Type-Options': 'nosniff', 'Content-Security-Policy': "default-src http: ws: data: 'self';script-src http: 'unsafe-inline';style-src http: 'unsafe-inline'" };
-            if ((domain != null) && (domain.httpheaders != null) && (typeof domain.httpheaders == 'object')) { res.set(domain.httpheaders); }
+            if ((domain != null) && (domain.httpheaders != null) && (typeof domain.httpheaders == 'object')) {
+                res.set(domain.httpheaders);
+            } else {
+                // Use default security headers
+                res.set({
+                    "X-Frame-Options": "sameorigin",
+                    "Referrer-Policy": "no-referrer",
+                    "X-XSS-Protection": "1; mode=block",
+                    "X-Content-Type-Options": "nosniff",
+                    "Content-Security-Policy": "default-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; frame-src 'self'; media-src 'self'"
+                });
+            }

            // Detect if this is a file sharing domain, if so, just share files.
            if ((domain != null) && (domain.share != null)) {