Append Strict-Transport-Security option (#2674)
This commit is contained in:
Christophe Maudoux
parent
98328cac1c
commit
479a1a2ab4
|
|
@ -371,27 +371,28 @@ sub defaultValues {
|
|||
'stayConnected' => 0,
|
||||
'stayConnectedCookieName' => 'llngconnection',
|
||||
'stayConnectedTimeout' => 2592000,
|
||||
'successLoginNumber' => 5,
|
||||
'timeout' => 72000,
|
||||
'timeoutActivity' => 0,
|
||||
'timeoutActivityInterval' => 60,
|
||||
'totp2fActivation' => 0,
|
||||
'totp2fDigits' => 6,
|
||||
'totp2fInterval' => 30,
|
||||
'totp2fRange' => 1,
|
||||
'totp2fSelfRegistration' => 0,
|
||||
'totp2fUserCanRemoveKey' => 1,
|
||||
'twitterAuthnLevel' => 1,
|
||||
'twitterUserField' => 'screen_name',
|
||||
'u2fActivation' => 0,
|
||||
'u2fSelfRegistration' => 0,
|
||||
'u2fUserCanRemoveKey' => 1,
|
||||
'upgradeSession' => 1,
|
||||
'userControl' => '^[\\w\\.\\-@]+$',
|
||||
'userDB' => 'Same',
|
||||
'useRedirectOnError' => 1,
|
||||
'useSafeJail' => 1,
|
||||
'utotp2fActivation' => 0,
|
||||
'strictTransportSecurityMax_Age' => '15768000',
|
||||
'successLoginNumber' => 5,
|
||||
'timeout' => 72000,
|
||||
'timeoutActivity' => 0,
|
||||
'timeoutActivityInterval' => 60,
|
||||
'totp2fActivation' => 0,
|
||||
'totp2fDigits' => 6,
|
||||
'totp2fInterval' => 30,
|
||||
'totp2fRange' => 1,
|
||||
'totp2fSelfRegistration' => 0,
|
||||
'totp2fUserCanRemoveKey' => 1,
|
||||
'twitterAuthnLevel' => 1,
|
||||
'twitterUserField' => 'screen_name',
|
||||
'u2fActivation' => 0,
|
||||
'u2fSelfRegistration' => 0,
|
||||
'u2fUserCanRemoveKey' => 1,
|
||||
'upgradeSession' => 1,
|
||||
'userControl' => '^[\\w\\.\\-@]+$',
|
||||
'userDB' => 'Same',
|
||||
'useRedirectOnError' => 1,
|
||||
'useSafeJail' => 1,
|
||||
'utotp2fActivation' => 0,
|
||||
'viewerHiddenKeys' => 'samlIDPMetaDataNodes, samlSPMetaDataNodes',
|
||||
'webauthn2fActivation' => 0,
|
||||
'webauthn2fSelfRegistration' => 0,
|
||||
|
|
|
|||
|
|
@ -4259,6 +4259,10 @@ qr/^(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-
|
|||
'default' => 0,
|
||||
'type' => 'bool'
|
||||
},
|
||||
'strictTransportSecurityMax_Age' => {
|
||||
'default' => '15768000',
|
||||
'type' => 'text'
|
||||
},
|
||||
'successLoginNumber' => {
|
||||
'default' => 5,
|
||||
'type' => 'int'
|
||||
|
|
|
|||
|
|
@ -1093,7 +1093,12 @@ sub attributes {
|
|||
corsMax_Age => {
|
||||
type => 'text',
|
||||
default => '86400', # 24 hours
|
||||
documentation => 'MAx-age for Cross-Origin Resource Sharing',
|
||||
documentation => 'Max-age for Cross-Origin Resource Sharing',
|
||||
},
|
||||
strictTransportSecurityMax_Age => {
|
||||
type => 'text',
|
||||
default => '15768000',
|
||||
documentation => 'Max-age for Strict-Transport-Security',
|
||||
},
|
||||
cspDefault => {
|
||||
type => 'text',
|
||||
|
|
|
|||
|
|
@ -1092,6 +1092,7 @@ sub tree {
|
|||
'requireToken',
|
||||
'formTimeout',
|
||||
'tokenUseGlobalStorage',
|
||||
'strictTransportSecurityMax_Age',
|
||||
{
|
||||
title => 'CrowdSecPlugin',
|
||||
help => 'crowdsec.html',
|
||||
|
|
|
|||
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
|
|
@ -946,21 +946,32 @@ sub sendHtml {
|
|||
|
||||
$self->setCorsHeaderFromConfig($res);
|
||||
|
||||
if ( $self->conf->{strictTransportSecurityMax_Age}
|
||||
and $self->conf->{portal} =~ /^https:/ )
|
||||
{
|
||||
push @{ $res->[1] },
|
||||
'Strict-Transport-Security' =>
|
||||
"max-age=$self->{conf}->{strictTransportSecurityMax_Age}";
|
||||
$self->logger->debug(
|
||||
"Set Strict-Transport-Security with: $self->{conf}->{strictTransportSecurityMax_Age}"
|
||||
);
|
||||
}
|
||||
|
||||
# Set authorized URL for POST
|
||||
my $csp = $self->csp . "form-action " . $self->conf->{cspFormAction};
|
||||
if ( my $url = $req->urldc ) {
|
||||
$self->logger->debug("Required urldc : $url");
|
||||
$self->logger->debug("Required urldc: $url");
|
||||
$url =~ URIRE;
|
||||
$url = $2 . '://' . $3 . ( $4 ? ":$4" : '' );
|
||||
$self->logger->debug("Set CSP form-action with urldc : $url");
|
||||
$self->logger->debug("Set CSP form-action with urldc: $url");
|
||||
$csp .= " $url";
|
||||
}
|
||||
my $url = $args{params}->{URL};
|
||||
if ( defined $url ) {
|
||||
$self->logger->debug("Required Params URL : $url");
|
||||
$self->logger->debug("Required Params URL: $url");
|
||||
if ( $url =~ URIRE ) {
|
||||
$url = $2 . '://' . $3 . ( $4 ? ":$4" : '' );
|
||||
$self->logger->debug("Set CSP form-action with Params URL : $url");
|
||||
$self->logger->debug("Set CSP form-action with Params URL: $url");
|
||||
$csp .= " $url";
|
||||
}
|
||||
}
|
||||
|
|
@ -1018,7 +1029,7 @@ sub sendHtml {
|
|||
|
||||
# Set CSP header
|
||||
push @{ $res->[1] }, 'Content-Security-Policy' => $csp;
|
||||
$self->logger->debug("Apply following CSP : $csp");
|
||||
$self->logger->debug("Apply following CSP: $csp");
|
||||
return $res;
|
||||
}
|
||||
|
||||
|
|
@ -1259,7 +1270,7 @@ sub setCorsHeaderFromConfig {
|
|||
if ( $self->conf->{corsEnabled} ) {
|
||||
my @cors = split /;/, $self->cors;
|
||||
push @{ $response->[1] }, @cors;
|
||||
$self->logger->debug('Apply following CORS policy :');
|
||||
$self->logger->debug('Apply following CORS policy:');
|
||||
$self->logger->debug(" $_") for @cors;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue