Add some basic headers to OSIN provided pages

Use restrictive defaults for basic security hygiene. Signed-off-by: Simo Sorce <simo@redhat.com>
openshift · Oct 24, 2017 · 10a7b84 · 10a7b84
1 parent f10a493
commit 10a7b84
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 0 deletions.
diff --git a/pkg/auth/server/grant/grant.go b/pkg/auth/server/grant/grant.go
@@ -15,6 +15,7 @@ import (
 	"github.com/golang/glog"
 	"github.com/openshift/origin/pkg/auth/authenticator"
 	"github.com/openshift/origin/pkg/auth/server/csrf"
+	"github.com/openshift/origin/pkg/auth/server/headers"
 	scopeauthorizer "github.com/openshift/origin/pkg/authorization/authorizer/scope"
 	oapi "github.com/openshift/origin/pkg/oauth/apis/oauth"
 	oauthclient "github.com/openshift/origin/pkg/oauth/generated/internalclientset/typed/oauth/internalversion"
@@ -112,6 +113,8 @@ func (l *Grant) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 		return
 	}
 
+	headers.SetStandardHeaders(w)
+
 	switch req.Method {
 	case "GET":
 		l.handleForm(user, w, req)

diff --git a/pkg/auth/server/headers/headers.go b/pkg/auth/server/headers/headers.go
@@ -0,0 +1,29 @@
+package headers
+
+import (
+	"net/http"
+)
+
+func SetStandardHeaders(w http.ResponseWriter) {
+
+	// We cannot set HSTS by default, it has too many drawbacks in environments
+	// that use self-signed certs
+	standardHeaders := map[string]string{
+		// Turn off caching, it never makes sense for authorization pages
+		"Cache-Control": "no-cache, no-store",
+		"Pragma":        "no-cache",
+		"Expires":       "0",
+		// Use a reasonably strict Referer policy by default
+		"Referrer-Policy": "strict-origin-when-cross-origin",
+		// Do not allow embedding as that can lead to clickjacking attacks
+		"X-Frame-Options": "DENY",
+		// Add other basic scurity hygiene headers
+		"X-Content-Type-Options": "nosniff",
+		"X-DNS-Prefetch-Control": "off",
+		"X-XSS-Protection":       "1; mode=block",
+	}
+
+	for key, val := range standardHeaders {
+		w.Header().Set(key, val)
+	}
+}
diff --git a/pkg/auth/server/login/implicit.go b/pkg/auth/server/login/implicit.go
@@ -13,6 +13,7 @@ import (
 	"github.com/openshift/origin/pkg/auth/authenticator"
 	"github.com/openshift/origin/pkg/auth/oauth/handlers"
 	"github.com/openshift/origin/pkg/auth/server/csrf"
+	"github.com/openshift/origin/pkg/auth/server/headers"
 )
 
 type RequestAuthenticator interface {
@@ -51,6 +52,7 @@ func NewConfirm(csrf csrf.CSRF, auth RequestAuthenticator, render ConfirmFormRen
 }
 
 func (c *Confirm) ServeHTTP(w http.ResponseWriter, req *http.Request) {
+	headers.SetStandardHeaders(w)
 	switch req.Method {
 	case "GET":
 		c.handleConfirmForm(w, req)

diff --git a/pkg/auth/server/login/login.go b/pkg/auth/server/login/login.go
@@ -17,6 +17,7 @@ import (
 	"github.com/openshift/origin/pkg/auth/prometheus"
 	"github.com/openshift/origin/pkg/auth/server/csrf"
 	"github.com/openshift/origin/pkg/auth/server/errorpage"
+	"github.com/openshift/origin/pkg/auth/server/headers"
 )
 
 const (
@@ -95,6 +96,7 @@ func (l *Login) Install(mux Mux, paths ...string) {
 }
 
 func (l *Login) ServeHTTP(w http.ResponseWriter, req *http.Request) {
+	headers.SetStandardHeaders(w)
 	switch req.Method {
 	case "GET":
 		l.handleLoginForm(w, req)