From 605d183d01ff1ab16a8a02db6534ddaca69a4a52 Mon Sep 17 00:00:00 2001
From: fett0 <fernando.gmaidana@gmail.com>
Date: Mon, 4 Dec 2023 19:41:15 +0000
Subject:  T5796:add/fixed OCSERV HTTP security headers

---
 data/templates/ocserv/ocserv_config.tmpl | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/data/templates/ocserv/ocserv_config.tmpl b/data/templates/ocserv/ocserv_config.tmpl
index 8a394f0ac..ce03d9107 100644
--- a/data/templates/ocserv/ocserv_config.tmpl
+++ b/data/templates/ocserv/ocserv_config.tmpl
@@ -84,3 +84,19 @@ route = {{ network_settings.push_route }}
 route = {{ route }}
 {%   endfor %}
 {% endif %}
+
+
+# HTTP security headers
+included-http-headers = Strict-Transport-Security: max-age=31536000 ; includeSubDomains
+included-http-headers = X-Frame-Options: deny
+included-http-headers = X-Content-Type-Options: nosniff
+included-http-headers = Content-Security-Policy: default-src ´none´
+included-http-headers = X-Permitted-Cross-Domain-Policies: none
+included-http-headers = Referrer-Policy: no-referrer
+included-http-headers = Clear-Site-Data: "cache","cookies","storage"
+included-http-headers = Cross-Origin-Embedder-Policy: require-corp
+included-http-headers = Cross-Origin-Opener-Policy: same-origin
+included-http-headers = Cross-Origin-Resource-Policy: same-origin
+included-http-headers = X-XSS-Protection: 0
+included-http-headers = Pragma: no-cache
+included-http-headers = Cache-control: no-store, no-cache
-- 
cgit v1.2.3


From ad65d37ddf92ec8416c84707d7d41e63346b550c Mon Sep 17 00:00:00 2001
From: fett0 <fernando.gmaidana@gmail.com>
Date: Fri, 15 Dec 2023 18:39:29 +0000
Subject:  T5796:add command http-security-headers

---
 data/templates/ocserv/ocserv_config.tmpl     | 3 ++-
 interface-definitions/vpn_openconnect.xml.in | 6 ++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/data/templates/ocserv/ocserv_config.tmpl b/data/templates/ocserv/ocserv_config.tmpl
index ce03d9107..3a27eb755 100644
--- a/data/templates/ocserv/ocserv_config.tmpl
+++ b/data/templates/ocserv/ocserv_config.tmpl
@@ -85,7 +85,7 @@ route = {{ route }}
 {%   endfor %}
 {% endif %}
 
-
+{% if http_security_headers is defined %}
 # HTTP security headers
 included-http-headers = Strict-Transport-Security: max-age=31536000 ; includeSubDomains
 included-http-headers = X-Frame-Options: deny
@@ -100,3 +100,4 @@ included-http-headers = Cross-Origin-Resource-Policy: same-origin
 included-http-headers = X-XSS-Protection: 0
 included-http-headers = Pragma: no-cache
 included-http-headers = Cache-control: no-store, no-cache
+{% endif %}
diff --git a/interface-definitions/vpn_openconnect.xml.in b/interface-definitions/vpn_openconnect.xml.in
index 3f363a263..16d6f366e 100644
--- a/interface-definitions/vpn_openconnect.xml.in
+++ b/interface-definitions/vpn_openconnect.xml.in
@@ -106,6 +106,12 @@
               </leafNode>
             </children>
           </node>
+          <leafNode name="http-security-headers">
+            <properties>
+              <help>Enable HTTP security headers</help>
+              <valueless/>
+            </properties>
+          </leafNode>
           <node name="ssl">
             <properties>
               <help>SSL Certificate, SSL Key and CA (/config/auth)</help>
-- 
cgit v1.2.3