Merge pull request #17010 from simo5/authheaders

Automatic merge from submit-queue (batch tested with PRs 17020, 17026, 17000, 17010). Add some basic headers to OSIN provided pages Use restrictive defaults for basic security hygiene.
openshift · Oct 25, 2017 · 87e24b0 · 87e24b0
2 parents 58d89a4 + 24083ea
commit 87e24b0
Show file tree

Hide file tree

Showing 6 changed files with 119 additions and 298 deletions.
diff --git a/pkg/auth/server/grant/grant.go b/pkg/auth/server/grant/grant.go
@@ -15,6 +15,7 @@ import (
 	"github.com/golang/glog"
 	"github.com/openshift/origin/pkg/auth/authenticator"
 	"github.com/openshift/origin/pkg/auth/server/csrf"
+	"github.com/openshift/origin/pkg/auth/server/headers"
 	scopeauthorizer "github.com/openshift/origin/pkg/authorization/authorizer/scope"
 	oapi "github.com/openshift/origin/pkg/oauth/apis/oauth"
 	oauthclient "github.com/openshift/origin/pkg/oauth/generated/internalclientset/typed/oauth/internalversion"
@@ -106,12 +107,13 @@ func (l *Grant) Install(mux Mux, paths ...string) {
 }
 
 func (l *Grant) ServeHTTP(w http.ResponseWriter, req *http.Request) {
+	headers.SetStandardHeaders(w)
+
 	user, ok, err := l.auth.AuthenticateRequest(req)
 	if err != nil || !ok {
 		l.redirect("You must reauthenticate before continuing", w, req)
 		return
 	}
-
 	switch req.Method {
 	case "GET":
 		l.handleForm(user, w, req)

diff --git a/pkg/auth/server/headers/headers.go b/pkg/auth/server/headers/headers.go
@@ -0,0 +1,29 @@
+package headers
+
+import (
+	"net/http"
+)
+
+func SetStandardHeaders(w http.ResponseWriter) {
+
+	// We cannot set HSTS by default, it has too many drawbacks in environments
+	// that use self-signed certs
+	standardHeaders := map[string]string{
+		// Turn off caching, it never makes sense for authorization pages
+		"Cache-Control": "no-cache, no-store",
+		"Pragma":        "no-cache",
+		"Expires":       "0",
+		// Use a reasonably strict Referer policy by default
+		"Referrer-Policy": "strict-origin-when-cross-origin",
+		// Do not allow embedding as that can lead to clickjacking attacks
+		"X-Frame-Options": "DENY",
+		// Add other basic scurity hygiene headers
+		"X-Content-Type-Options": "nosniff",
+		"X-DNS-Prefetch-Control": "off",
+		"X-XSS-Protection":       "1; mode=block",
+	}
+
+	for key, val := range standardHeaders {
+		w.Header().Set(key, val)
+	}
+}
diff --git a/pkg/auth/server/login/implicit.go b/pkg/auth/server/login/implicit.go
diff --git a/pkg/auth/server/login/implicit_test.go b/pkg/auth/server/login/implicit_test.go
diff --git a/pkg/auth/server/login/login.go b/pkg/auth/server/login/login.go
@@ -17,6 +17,7 @@ import (
 	"github.com/openshift/origin/pkg/auth/prometheus"
 	"github.com/openshift/origin/pkg/auth/server/csrf"
 	"github.com/openshift/origin/pkg/auth/server/errorpage"
+	"github.com/openshift/origin/pkg/auth/server/headers"
 )
 
 const (
@@ -95,6 +96,7 @@ func (l *Login) Install(mux Mux, paths ...string) {
 }
 
 func (l *Login) ServeHTTP(w http.ResponseWriter, req *http.Request) {
+	headers.SetStandardHeaders(w)
 	switch req.Method {
 	case "GET":
 		l.handleLoginForm(w, req)