Project

General

Profile

Todo #6647

Enable CSP for GUI

Added by Chris Buechler almost 2 years ago. Updated 4 months ago.

Status:
New
Priority:
Normal
Category:
Web Interface
Target version:
Start date:
07/26/2016
Due date:
% Done:

0%


Description

The nginx instance for the web GUI should enable CSP. Just adding the following works:

add_header Content-Security-Policy "default-src 'self';";

though I suspect that may break some edge case I'm not thinking of. The captive portal nginx instance shouldn't have that set, as people routinely include external resources that would be broken by that.

Adding upgrade-insecure-requests while there wouldn't hurt either.

History

#1 Updated by Jim Thompson over 1 year ago

  • Assignee set to Renato Botelho

#2 Updated by Renato Botelho 10 months ago

  • Target version changed from 2.4.0 to 2.4.1

#3 Updated by Jim Pingle 9 months ago

  • Target version changed from 2.4.1 to 2.4.2

#4 Updated by Jim Pingle 9 months ago

  • Target version changed from 2.4.2 to 2.4.3

#5 Updated by JohnPoz _ 5 months ago

While I am by no means an expert on what specific headers are appropriate... And the webgui really should be limited to local access from secure network and machine. This sort of came up in this thread.

https://forum.pfsense.org/index.php?topic=144026.0

There are maybe a few other headers that could be added to the webgui.. I have not researched in any sort of detail all the best practice, There are some listed here that are also missing that might make sense to add.
http://www.globaldots.com/8-http-security-headers-best-practices/

From a curl to the webgui and looking at the headers, along with the CSP I would think
X-XSS-Protection "1; mode=block"

And possibly
Referrer-Policy

Should also be added.

edit: Also I am not a chrome user but isn't there a Expect-CT that chrome is going to start enforcing for trust?
Thanks!

#6 Updated by Jim Pingle 4 months ago

  • Target version changed from 2.4.3 to 2.4.4

We have our own internal controls to handle refererring URLS, so that header isn't desirable.

Reading about X-XSS-Protection, it seems like it's not all that great either, as it opens up other potential attacks.

CSP sounds desirable but we'd need to test it more thoroughly than we have time to do before this release. We can try it out for the next one, though.

Also available in: Atom PDF