diff options
author | Viacheslav Hletenko <v.gletenko@vyos.io> | 2023-12-16 17:30:32 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-12-16 17:30:32 +0200 |
commit | d5375ce02376a91c07ec68f8d410a08dcdc57ef9 (patch) | |
tree | 50338dd2a1843e4ad58b634c195b3239e37c6e98 | |
parent | 9afd896937ba25dcbc03c6b217e08fcd80494c08 (diff) | |
parent | 1d6ba2cd7ceccb85803bbb575c4f344d63a0fa4f (diff) | |
download | vyos-1x-d5375ce02376a91c07ec68f8d410a08dcdc57ef9.tar.gz vyos-1x-d5375ce02376a91c07ec68f8d410a08dcdc57ef9.zip |
Merge pull request #2645 from vyos/mergify/bp/sagitta/pr-2644
ocserv: T5796: add CLI knob "http-security-headers" (backport #2644)
-rw-r--r-- | data/templates/ocserv/ocserv_config.j2 | 5 | ||||
-rw-r--r-- | interface-definitions/vpn-openconnect.xml.in | 6 | ||||
-rwxr-xr-x | smoketest/scripts/cli/test_vpn_openconnect.py | 21 |
3 files changed, 30 insertions, 2 deletions
diff --git a/data/templates/ocserv/ocserv_config.j2 b/data/templates/ocserv/ocserv_config.j2 index 80ba357bc..b5e890c32 100644 --- a/data/templates/ocserv/ocserv_config.j2 +++ b/data/templates/ocserv/ocserv_config.j2 @@ -121,12 +121,12 @@ select-group = {{ grp }} {% endfor %} {% endif %} - +{% if http_security_headers is vyos_defined %} # HTTP security headers included-http-headers = Strict-Transport-Security: max-age=31536000 ; includeSubDomains included-http-headers = X-Frame-Options: deny included-http-headers = X-Content-Type-Options: nosniff -included-http-headers = Content-Security-Policy: default-src ´none´ +included-http-headers = Content-Security-Policy: default-src "none" included-http-headers = X-Permitted-Cross-Domain-Policies: none included-http-headers = Referrer-Policy: no-referrer included-http-headers = Clear-Site-Data: "cache","cookies","storage" @@ -136,3 +136,4 @@ included-http-headers = Cross-Origin-Resource-Policy: same-origin included-http-headers = X-XSS-Protection: 0 included-http-headers = Pragma: no-cache included-http-headers = Cache-control: no-store, no-cache +{% endif %} diff --git a/interface-definitions/vpn-openconnect.xml.in b/interface-definitions/vpn-openconnect.xml.in index 75c64a99a..736084f8b 100644 --- a/interface-definitions/vpn-openconnect.xml.in +++ b/interface-definitions/vpn-openconnect.xml.in @@ -260,6 +260,12 @@ </leafNode> </children> </node> + <leafNode name="http-security-headers"> + <properties> + <help>Enable HTTP security headers</help> + <valueless/> + </properties> + </leafNode> <node name="ssl"> <properties> <help>SSL Certificate, SSL Key and CA</help> diff --git a/smoketest/scripts/cli/test_vpn_openconnect.py b/smoketest/scripts/cli/test_vpn_openconnect.py index 04abeb1aa..c4502fada 100755 --- a/smoketest/scripts/cli/test_vpn_openconnect.py +++ b/smoketest/scripts/cli/test_vpn_openconnect.py @@ -141,5 +141,26 @@ class TestVPNOpenConnect(VyOSUnitTestSHIM.TestCase): otp_config = read_file(otp_file) self.assertIn(f'HOTP/T30/6 {user} - {otp}', otp_config) + + # Verify HTTP security headers + self.cli_set(base_path + ['http-security-headers']) + self.cli_commit() + + daemon_config = read_file(config_file) + + self.assertIn('included-http-headers = Strict-Transport-Security: max-age=31536000 ; includeSubDomains', daemon_config) + self.assertIn('included-http-headers = X-Frame-Options: deny', daemon_config) + self.assertIn('included-http-headers = X-Content-Type-Options: nosniff', daemon_config) + self.assertIn('included-http-headers = Content-Security-Policy: default-src "none"', daemon_config) + self.assertIn('included-http-headers = X-Permitted-Cross-Domain-Policies: none', daemon_config) + self.assertIn('included-http-headers = Referrer-Policy: no-referrer', daemon_config) + self.assertIn('included-http-headers = Clear-Site-Data: "cache","cookies","storage"', daemon_config) + self.assertIn('included-http-headers = Cross-Origin-Embedder-Policy: require-corp', daemon_config) + self.assertIn('included-http-headers = Cross-Origin-Opener-Policy: same-origin', daemon_config) + self.assertIn('included-http-headers = Cross-Origin-Resource-Policy: same-origin', daemon_config) + self.assertIn('included-http-headers = X-XSS-Protection: 0', daemon_config) + self.assertIn('included-http-headers = Pragma: no-cache', daemon_config) + self.assertIn('included-http-headers = Cache-control: no-store, no-cache', daemon_config) + if __name__ == '__main__': unittest.main(verbosity=2) |