Merge pull request #2644 from c-po/ocserv-T5796

ocserv: T5796: add CLI knob "http-security-headers"

3 files changed, 30 insertions, 2 deletions

diff --git a/data/templates/ocserv/ocserv_config.j2 b/data/templates/ocserv/ocserv_config.j2
index 80ba357bc..b5e890c32 100644
--- a/data/templates/ocserv/ocserv_config.j2
+++ b/data/templates/ocserv/ocserv_config.j2
@@ -121,12 +121,12 @@ select-group = {{ grp }}
 {%     endfor %}
 {% endif %}
 
-
+{% if http_security_headers is vyos_defined %}
 # HTTP security headers
 included-http-headers = Strict-Transport-Security: max-age=31536000 ; includeSubDomains
 included-http-headers = X-Frame-Options: deny
 included-http-headers = X-Content-Type-Options: nosniff
-included-http-headers = Content-Security-Policy: default-src ´none´
+included-http-headers = Content-Security-Policy: default-src "none"
 included-http-headers = X-Permitted-Cross-Domain-Policies: none
 included-http-headers = Referrer-Policy: no-referrer
 included-http-headers = Clear-Site-Data: "cache","cookies","storage"
@@ -136,3 +136,4 @@ included-http-headers = Cross-Origin-Resource-Policy: same-origin
 included-http-headers = X-XSS-Protection: 0
 included-http-headers = Pragma: no-cache
 included-http-headers = Cache-control: no-store, no-cache
+{% endif %}
diff --git a/interface-definitions/vpn-openconnect.xml.in b/interface-definitions/vpn-openconnect.xml.in
index 75c64a99a..736084f8b 100644
--- a/interface-definitions/vpn-openconnect.xml.in
+++ b/interface-definitions/vpn-openconnect.xml.in
@@ -260,6 +260,12 @@
               </leafNode>
             </children>
           </node>
+          <leafNode name="http-security-headers">
+            <properties>
+              <help>Enable HTTP security headers</help>
+              <valueless/>
+            </properties>
+          </leafNode>
           <node name="ssl">
             <properties>
               <help>SSL Certificate, SSL Key and CA</help>
diff --git a/smoketest/scripts/cli/test_vpn_openconnect.py b/smoketest/scripts/cli/test_vpn_openconnect.py
index 04abeb1aa..c4502fada 100755
--- a/smoketest/scripts/cli/test_vpn_openconnect.py
+++ b/smoketest/scripts/cli/test_vpn_openconnect.py
@@ -141,5 +141,26 @@ class TestVPNOpenConnect(VyOSUnitTestSHIM.TestCase):
         otp_config = read_file(otp_file)
         self.assertIn(f'HOTP/T30/6 {user} - {otp}', otp_config)
 
+
+        # Verify HTTP security headers
+        self.cli_set(base_path + ['http-security-headers'])
+        self.cli_commit()
+
+        daemon_config = read_file(config_file)
+
+        self.assertIn('included-http-headers = Strict-Transport-Security: max-age=31536000 ; includeSubDomains', daemon_config)
+        self.assertIn('included-http-headers = X-Frame-Options: deny', daemon_config)
+        self.assertIn('included-http-headers = X-Content-Type-Options: nosniff', daemon_config)
+        self.assertIn('included-http-headers = Content-Security-Policy: default-src "none"', daemon_config)
+        self.assertIn('included-http-headers = X-Permitted-Cross-Domain-Policies: none', daemon_config)
+        self.assertIn('included-http-headers = Referrer-Policy: no-referrer', daemon_config)
+        self.assertIn('included-http-headers = Clear-Site-Data: "cache","cookies","storage"', daemon_config)
+        self.assertIn('included-http-headers = Cross-Origin-Embedder-Policy: require-corp', daemon_config)
+        self.assertIn('included-http-headers = Cross-Origin-Opener-Policy: same-origin', daemon_config)
+        self.assertIn('included-http-headers = Cross-Origin-Resource-Policy: same-origin', daemon_config)
+        self.assertIn('included-http-headers = X-XSS-Protection: 0', daemon_config)
+        self.assertIn('included-http-headers = Pragma: no-cache', daemon_config)
+        self.assertIn('included-http-headers = Cache-control: no-store, no-cache', daemon_config)
+
 if __name__ == '__main__':
     unittest.main(verbosity=2)