From patchwork Mon Dec  4 04:10:47 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@link38.eu>
X-Patchwork-Id: 1574
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (unknown [172.28.1.200])
	by web02.ipfire.org (Postfix) with ESMTP id C4FFA60C75
	for <patchwork@ipfire.org>; Sun,  3 Dec 2017 18:11:01 +0100 (CET)
Received: from mail01.ipfire.org (localhost [IPv6:::1])
	by mail01.ipfire.org (Postfix) with ESMTP id DEE8B25A0;
	Sun,  3 Dec 2017 18:11:00 +0100 (CET)
Received: from mx.link38.eu (mx.link38.eu [IPv6:2a03:4000:17:39a::1])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (Client CN "mx.link38.eu",
	Issuer "Let's Encrypt Authority X3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 6476B1FD7
	for <development@lists.ipfire.org>;
	Sun,  3 Dec 2017 18:10:57 +0100 (CET)
X-Virus-Scanned: ClamAV at mx.link38.eu
Received: from mx-fra.brokers.link38.eu (mx-fra.brokers.link38.eu
	[10.141.75.13])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (Client did not present a certificate)
	by mx.link38.eu (Postfix) with ESMTPS id E3C394016F
	for <development@lists.ipfire.org>;
	Sun,  3 Dec 2017 18:10:47 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256
	bits)) (Client did not present a certificate)
	by mx-fra.brokers.link38.eu (Postfix) with ESMTPSA id 6DFD39F1DC
	for <development@lists.ipfire.org>;
	Sun,  3 Dec 2017 18:10:47 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=link38.eu; s=201711;
	t=1512321047; x=1575393047;
	bh=WWzLX+3c7e5TfEr44DzV8RBWSI9mKYYGHM1GIrbOYXE=;
	h=Date:From:To:Subject:Message-ID:Content-Type:From:To:Subject:Date:
	Cc;
	b=iVqxkO+GSkdY60TBnyo96EVq0Qj/0dYOUsjFWbkF2ABLG/fPmUQbm/WdtbAvZEKrJ
	vzn4NyEMpw00+P8xCzcKodThHdVnzcAowoL/OD3buddtP/WdhKfVDN1vD2pw3pGWov
	HwCypKpHQOIl9w8+5bPe1P16f6h8oUpyJKSKEls+JfS8Sq25ABFNto1d4bO6k9EceM
	HYxS65BPSuxEfaGYJOpf5LFF1o523u8T/Jc/4RyY17UA77c7aROaTFgnaLSv810j3R
	anB/2YYp3tQR6yFiR4fahwKVZCVDvWs1bnQzpv3aIcsKQpwXkrPvmjssPWjux/A/zR
	ZO8hrNHD5ajTw==
Date: Sun, 3 Dec 2017 18:10:47 +0100
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@link38.eu>
To: "development@lists.ipfire.org" <development@lists.ipfire.org>
Subject: [PATCH] prevent IE from interpreting HTML MIME type
Message-ID: <20171203181047.01d078d5.peter.mueller@link38.eu>
Organization: Link38
MIME-Version: 1.0
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
	<mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <https://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
	<mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

Add X-Content-Type-Options header to prevent Internet Explorer
from interpreting the MIME type of a server answer on its own,
which could lead to security risks.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
---
 config/httpd/vhosts.d/captive.conf              | 2 ++
 config/httpd/vhosts.d/ipfire-interface-ssl.conf | 4 ++++
 config/httpd/vhosts.d/ipfire-interface.conf     | 2 ++
 3 files changed, 8 insertions(+)

diff --git a/config/httpd/vhosts.d/captive.conf b/config/httpd/vhosts.d/captive.conf
index e4e1d78f1..e71a26081 100644
--- a/config/httpd/vhosts.d/captive.conf
+++ b/config/httpd/vhosts.d/captive.conf
@@ -9,6 +9,8 @@ Listen 1013
 	# code was entered.
 	KeepAlive Off
 
+	Header always set X-Content-Type-Options nosniff
+
 	ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/captive/
 	Alias /assets/ /srv/web/ipfire/html/captive/assets/
 
diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
index dacf6a005..c5d8ffba9 100644
--- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
+++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
@@ -3,10 +3,12 @@
     RewriteEngine on
     RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)
     RewriteRule .* - [F]
+
     DocumentRoot /srv/web/ipfire/html
     ServerAdmin root@localhost
     ErrorLog /var/log/httpd/error_log
     TransferLog /var/log/httpd/access_log
+
     SSLEngine on
     SSLProtocol all -SSLv2 -SSLv3
     SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA
@@ -18,6 +20,8 @@
     SSLCertificateFile /etc/httpd/server-ecdsa.crt
     SSLCertificateKeyFile /etc/httpd/server-ecdsa.key
 
+    Header always set X-Content-Type-Options nosniff
+
     <Directory /srv/web/ipfire/html>
         Options ExecCGI
         AllowOverride None
diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf
index be15cd041..5c7ddc719 100644
--- a/config/httpd/vhosts.d/ipfire-interface.conf
+++ b/config/httpd/vhosts.d/ipfire-interface.conf
@@ -6,6 +6,8 @@
     RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)
     RewriteRule .* - [F]
 
+    Header always set X-Content-Type-Options nosniff
+
     <Directory /srv/web/ipfire/html>
         Options ExecCGI
         AllowOverride None