-
Notifications
You must be signed in to change notification settings - Fork 4.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add some basic headers to OSIN provided pages
Use restrictive defaults for basic security hygiene. Signed-off-by: Simo Sorce <simo@redhat.com>
- Loading branch information
Showing
4 changed files
with
119 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| package headers | ||
|
|
||
| import ( | ||
| "net/http" | ||
| ) | ||
|
|
||
| func SetStandardHeaders(w http.ResponseWriter) { | ||
|
|
||
| // We cannot set HSTS by default, it has too many drawbacks in environments | ||
| // that use self-signed certs | ||
| standardHeaders := map[string]string{ | ||
| // Turn off caching, it never makes sense for authorization pages | ||
| "Cache-Control": "no-cache, no-store", | ||
| "Pragma": "no-cache", | ||
| "Expires": "0", | ||
| // Use a reasonably strict Referer policy by default | ||
| "Referrer-Policy": "strict-origin-when-cross-origin", | ||
| // Do not allow embedding as that can lead to clickjacking attacks | ||
| "X-Frame-Options": "DENY", | ||
| // Add other basic scurity hygiene headers | ||
| "X-Content-Type-Options": "nosniff", | ||
| "X-DNS-Prefetch-Control": "off", | ||
| "X-XSS-Protection": "1; mode=block", | ||
| } | ||
|
|
||
| for key, val := range standardHeaders { | ||
| w.Header().Set(key, val) | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,85 @@ | ||
| package integration | ||
|
|
||
| import ( | ||
| "net/http" | ||
| "net/url" | ||
| "testing" | ||
|
|
||
| restclient "k8s.io/client-go/rest" | ||
|
|
||
| testutil "github.com/openshift/origin/test/util" | ||
| testserver "github.com/openshift/origin/test/util/server" | ||
| ) | ||
|
|
||
| // TestOAuthServerHeaders tests that the Oauth Server pages that return | ||
| // browser relevant stuff (HTML) are served with appropriate headers | ||
| func TestOAuthServerHeaders(t *testing.T) { | ||
| // Set up server | ||
| masterOptions, err := testserver.DefaultMasterOptions() | ||
| if err != nil { | ||
| t.Fatalf("unexpected error: %v", err) | ||
| } | ||
|
|
||
| defer testserver.CleanupMasterEtcd(t, masterOptions) | ||
|
|
||
| clusterAdminKubeConfig, err := testserver.StartConfiguredMaster(masterOptions) | ||
| if err != nil { | ||
| t.Fatalf("unexpected error: %v", err) | ||
| } | ||
|
|
||
| clientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig) | ||
| if err != nil { | ||
| t.Fatalf("unexpected error: %v", err) | ||
| } | ||
|
|
||
| anonConfig := restclient.AnonymousClientConfig(clientConfig) | ||
| transport, err := restclient.TransportFor(anonConfig) | ||
| if err != nil { | ||
| t.Fatalf("unexpected error: %v", err) | ||
| } | ||
|
|
||
| baseURL, err := url.Parse(clientConfig.Host) | ||
| if err != nil { | ||
| t.Fatalf("unexpected error: %v", err) | ||
| } | ||
|
|
||
| // Hit the login URL | ||
| loginURL := *baseURL | ||
| loginURL.Path = "/login" | ||
| checkNewReqHeaders(t, transport, loginURL.String()) | ||
|
|
||
| // Hit the grant URL | ||
| grantURL := *baseURL | ||
| grantURL.Path = "/oauth/authorize/approve" | ||
| checkNewReqHeaders(t, transport, grantURL.String()) | ||
|
|
||
| } | ||
|
|
||
| func checkNewReqHeaders(t *testing.T, rt http.RoundTripper, check_url string) { | ||
| req, err := http.NewRequest("GET", check_url, nil) | ||
| if err != nil { | ||
| t.Fatalf("unexpected error %v", err) | ||
| } | ||
|
|
||
| req.Header.Set("Accept", "text/html; charset=UTF-8") | ||
|
|
||
| resp, err := rt.RoundTrip(req) | ||
| if err != nil { | ||
| t.Fatalf("unexpected error %v", err) | ||
| } | ||
|
|
||
| checkImportantHeaders := map[string]string{ | ||
| "Referrer-Policy": "strict-origin-when-cross-origin", | ||
| "X-Frame-Options": "DENY", | ||
| "X-Content-Type-Options": "nosniff", | ||
| "X-DNS-Prefetch-Control": "off", | ||
| "X-XSS-Protection": "1; mode=block", | ||
| } | ||
|
|
||
| for key, val := range checkImportantHeaders { | ||
| header := resp.Header.Get(key) | ||
| if header != val { | ||
| t.Errorf("While probing %s expected header %s: %s, got {%v}", check_url, key, val, header) | ||
| } | ||
| } | ||
| } |