prevent loading resources from external sites
Commit Message
Make Apache transmit a CSP (Content Security Policy) header
for WebUI and Captive Portal contents.
This prevents some XSS and content injection attacks, especially
in case no transport encryption (Captive Portal!) can be used.
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
---
config/httpd/vhosts.d/captive.conf | 2 ++
config/httpd/vhosts.d/ipfire-interface-ssl.conf | 2 ++
config/httpd/vhosts.d/ipfire-interface.conf | 2 ++
3 files changed, 6 insertions(+)
@@ -9,6 +9,8 @@ Listen 1013
# code was entered.
KeepAlive Off
+ Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
+
ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/captive/
Alias /assets/ /srv/web/ipfire/html/captive/assets/
@@ -18,6 +18,8 @@
SSLCertificateFile /etc/httpd/server-ecdsa.crt
SSLCertificateKeyFile /etc/httpd/server-ecdsa.key
+ Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
+
<Directory /srv/web/ipfire/html>
Options ExecCGI
AllowOverride None
@@ -6,6 +6,8 @@
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)
RewriteRule .* - [F]
+ Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
+
<Directory /srv/web/ipfire/html>
Options ExecCGI
AllowOverride None