Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[feature] Set some security related headers #3065

Merged
merged 3 commits into from
Jul 4, 2024
Merged

[feature] Set some security related headers #3065

merged 3 commits into from
Jul 4, 2024

Conversation

daenney
Copy link
Member

@daenney daenney commented Jul 3, 2024

Description

This sets a few basic security related headers, aside from the CSP which we already have.

I'm slowly going through https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html and figuring out what applies.

Each commit is a separate header + the why of it.

Checklist

Please put an x inside each checkbox to indicate that you've read and followed it: [ ] -> [x]

If this is a documentation change, only the first checkbox must be filled (you can delete the others if you want).

  • I/we have read the GoToSocial contribution guidelines.
  • I/we have discussed the proposed changes already, either in an issue on the repository, or in the Matrix chat.
  • I/we have not leveraged AI to create the proposed changes.
  • I/we have performed a self-review of added code.
  • I/we have written code that is legible and maintainable by others.
  • I/we have commented the added code, particularly in hard-to-understand areas.
  • I/we have made any necessary changes to documentation.
  • I/we have added tests that cover new code.
  • I/we have run tests and they pass locally with the changes.
  • I/we have run go fmt ./... and golangci-lint run.

daenney added 3 commits July 3, 2024 14:59
@daenney
[feature] Set frame-ancestors in the CSP
779aed5 
This ensures we can't be loaded/embedded in an iframe. It also sets the
older X-Frame-Options for fallback.
@daenney
[feature] Disable MIME type sniffing
c684ceb
@daenney
[feature] Set Referrer-Policy
c63036f 
This sets the policy such that browsers will never send the Referer
header along with a request, unless it's a request to the same protocol,
host/domain and port. Basically, only send it when navigating through
our own UI, but not anything external.

The default is strict-origin-when-cross-origin when unset, which sends
the Referer header for requests unless it's going from HTTPS to HTTP
(i.e a security downgrade, hence the 'strict').
daenney
daenney commented Jul 3, 2024
View reviewed changes
internal/middleware/extraheaders.go
@@ -27,6 +27,15 @@ func ExtraHeaders() gin.HandlerFunc {
// Inform all callers which server implementation this is.
c.Header("Server", "gotosocial")

// Equivalent to CSP frame-ancestors for older browsers
c.Header("X-Frame-Options", "DENY")
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caps here don't matter but so many examples go full caps on it. So. DENYed.

@tsmethurst
Copy link
Contributor

Looks reasonable :) wanna merge it as is or would you rather wait and add more stuff this PR?

@daenney
Copy link
Member Author

daenney commented Jul 3, 2024

Lets merge this batch. I can do additional ones for other headers because some of them are quite involved.

@daenney daenney merged commit 02d6e2e into main Jul 4, 2024
3 checks passed
@daenney daenney deleted the security-headers branch July 4, 2024 08:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@daenney @tsmethurst