From e8e608765e875814b89847d59b4699175746596a Mon Sep 17 00:00:00 2001
From: Connor Shea <connor.james.shea@gmail.com>
Date: Fri, 17 Jun 2016 15:26:21 -0600
Subject: Fix that which hath been broken. Except the sidekiq admin iframe.

---
 .../admin/background_jobs_controller.rb            |  4 +++
 config/initializers/secure_headers.rb              | 38 ++++++++++++++++++++++
 2 files changed, 42 insertions(+)
 create mode 100644 config/initializers/secure_headers.rb

diff --git a/app/controllers/admin/background_jobs_controller.rb b/app/controllers/admin/background_jobs_controller.rb
index 338496013a0..7ccbe7c4232 100644
--- a/app/controllers/admin/background_jobs_controller.rb
+++ b/app/controllers/admin/background_jobs_controller.rb
@@ -2,5 +2,9 @@ class Admin::BackgroundJobsController < Admin::ApplicationController
   def show
     ps_output, _ = Gitlab::Popen.popen(%W(ps -U #{Gitlab.config.gitlab.user} -o pid,pcpu,pmem,stat,start,command))
     @sidekiq_processes = ps_output.split("\n").grep(/sidekiq/)
+
+    override_x_frame_options("SAMEORIGIN")
+
+    override_content_security_policy_directives(frame_ancestors: %w('self'))
   end
 end
diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb
new file mode 100644
index 00000000000..7ac4c7ace8e
--- /dev/null
+++ b/config/initializers/secure_headers.rb
@@ -0,0 +1,38 @@
+SecureHeaders::Configuration.default do |config|
+  config.cookies = {
+    secure: true, # mark all cookies as "Secure"
+    httponly: true, # mark all cookies as "HttpOnly"
+    samesite: {
+      strict: true # mark all cookies as SameSite=Strict
+    }
+  }
+  config.x_frame_options = "DENY"
+  config.x_content_type_options = "nosniff"
+  config.x_xss_protection = "1; mode=block"
+  config.x_download_options = "noopen"
+  config.x_permitted_cross_domain_policies = "none"
+  config.referrer_policy = "origin-when-cross-origin"
+  config.csp = {
+    # "meta" values. these will shaped the header, but the values are not included in the header.
+    report_only: true,      # default: false
+    preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.
+
+    # directive values: these values will directly translate into source directives
+    default_src: %w('none'),
+    frame_src: %w('self'),
+    connect_src: %w('self'),
+    font_src: %w('self'),
+    img_src: %w('self' www.gravatar.com secure.gravatar.com),
+    media_src: %w('none'),
+    object_src: %w('none'),
+    script_src: %w('unsafe-inline' 'unsafe-eval' 'self' maxcdn.bootstrapcdn.com),
+    style_src: %w('unsafe-inline' 'self'),
+    base_uri: %w('self'),
+    child_src: %w('self'),
+    form_action: %w('self'),
+    frame_ancestors: %w('none'),
+    block_all_mixed_content: true, # see http://www.w3.org/TR/mixed-content/
+    upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/
+    report_uri: %w('')
+  }
+end
-- 
cgit v1.2.1