Project

General

Profile

Actions

Todo #6647

open

Enable Additional Security Headers

Added by Chris Buechler over 7 years ago. Updated almost 3 years ago.

Status:
New
Priority:
Very Low
Assignee:
-
Category:
Web Interface
Target version:
Start date:
07/26/2016
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default

Description

The nginx instance for the web GUI should enable CSP. Just adding the following works:

add_header Content-Security-Policy "default-src 'self';";

though I suspect that may break some edge case I'm not thinking of. The captive portal nginx instance shouldn't have that set, as people routinely include external resources that would be broken by that.

Adding upgrade-insecure-requests while there wouldn't hurt either.

Actions

Also available in: Atom PDF