diff options
author | Connor Shea <connor.james.shea@gmail.com> | 2016-06-17 15:26:21 -0600 |
---|---|---|
committer | Connor Shea <connor.james.shea@gmail.com> | 2016-07-18 11:43:35 -0600 |
commit | e8e608765e875814b89847d59b4699175746596a (patch) | |
tree | 2c8a8d8c80a70f4093d28ee15b40f864d6b1e47c | |
parent | cc0d15a8869e25eb02b5e829e24ae3933419760f (diff) | |
download | gitlab-ce-e8e608765e875814b89847d59b4699175746596a.tar.gz |
Fix that which hath been broken. Except the sidekiq admin iframe.
-rw-r--r-- | app/controllers/admin/background_jobs_controller.rb | 4 | ||||
-rw-r--r-- | config/initializers/secure_headers.rb | 38 |
2 files changed, 42 insertions, 0 deletions
diff --git a/app/controllers/admin/background_jobs_controller.rb b/app/controllers/admin/background_jobs_controller.rb index 338496013a0..7ccbe7c4232 100644 --- a/app/controllers/admin/background_jobs_controller.rb +++ b/app/controllers/admin/background_jobs_controller.rb @@ -2,5 +2,9 @@ class Admin::BackgroundJobsController < Admin::ApplicationController def show ps_output, _ = Gitlab::Popen.popen(%W(ps -U #{Gitlab.config.gitlab.user} -o pid,pcpu,pmem,stat,start,command)) @sidekiq_processes = ps_output.split("\n").grep(/sidekiq/) + + override_x_frame_options("SAMEORIGIN") + + override_content_security_policy_directives(frame_ancestors: %w('self')) end end diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb new file mode 100644 index 00000000000..7ac4c7ace8e --- /dev/null +++ b/config/initializers/secure_headers.rb @@ -0,0 +1,38 @@ +SecureHeaders::Configuration.default do |config| + config.cookies = { + secure: true, # mark all cookies as "Secure" + httponly: true, # mark all cookies as "HttpOnly" + samesite: { + strict: true # mark all cookies as SameSite=Strict + } + } + config.x_frame_options = "DENY" + config.x_content_type_options = "nosniff" + config.x_xss_protection = "1; mode=block" + config.x_download_options = "noopen" + config.x_permitted_cross_domain_policies = "none" + config.referrer_policy = "origin-when-cross-origin" + config.csp = { + # "meta" values. these will shaped the header, but the values are not included in the header. + report_only: true, # default: false + preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content. + + # directive values: these values will directly translate into source directives + default_src: %w('none'), + frame_src: %w('self'), + connect_src: %w('self'), + font_src: %w('self'), + img_src: %w('self' www.gravatar.com secure.gravatar.com), + media_src: %w('none'), + object_src: %w('none'), + script_src: %w('unsafe-inline' 'unsafe-eval' 'self' maxcdn.bootstrapcdn.com), + style_src: %w('unsafe-inline' 'self'), + base_uri: %w('self'), + child_src: %w('self'), + form_action: %w('self'), + frame_ancestors: %w('none'), + block_all_mixed_content: true, # see http://www.w3.org/TR/mixed-content/ + upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/ + report_uri: %w('') + } +end |