Enable CSP for GUI
The nginx instance for the web GUI should enable CSP. Just adding the following works:
add_header Content-Security-Policy "default-src 'self';";
though I suspect that may break some edge case I'm not thinking of. The captive portal nginx instance shouldn't have that set, as people routinely include external resources that would be broken by that.
Adding upgrade-insecure-requests while there wouldn't hurt either.
While I am by no means an expert on what specific headers are appropriate... And the webgui really should be limited to local access from secure network and machine. This sort of came up in this thread.
There are maybe a few other headers that could be added to the webgui.. I have not researched in any sort of detail all the best practice, There are some listed here that are also missing that might make sense to add.
From a curl to the webgui and looking at the headers, along with the CSP I would think
X-XSS-Protection "1; mode=block"
Should also be added.
edit: Also I am not a chrome user but isn't there a Expect-CT that chrome is going to start enforcing for trust?
#6 Updated by Jim Pingle 4 months ago
- Target version changed from 2.4.3 to 2.4.4
We have our own internal controls to handle refererring URLS, so that header isn't desirable.
Reading about X-XSS-Protection, it seems like it's not all that great either, as it opens up other potential attacks.
CSP sounds desirable but we'd need to test it more thoroughly than we have time to do before this release. We can try it out for the next one, though.