From 5a2952709380263d19995a8e5db1177f59a86095 Mon Sep 17 00:00:00 2001 From: fett0 Date: Fri, 15 Dec 2023 18:39:29 +0000 Subject: ocserv: T5796: add CLI knob "http-security-headers" OCserv manual recommended HTTP headers tobe included in the configuration. (cherry picked from commit ad65d37ddf92ec8416c84707d7d41e63346b550c) (cherry picked from commit 24f449cc099703df95646c719e9d3f308ed1a3f0) --- data/templates/ocserv/ocserv_config.j2 | 5 +++-- interface-definitions/vpn-openconnect.xml.in | 6 ++++++ 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/data/templates/ocserv/ocserv_config.j2 b/data/templates/ocserv/ocserv_config.j2 index 80ba357bc..713ca7fd4 100644 --- a/data/templates/ocserv/ocserv_config.j2 +++ b/data/templates/ocserv/ocserv_config.j2 @@ -121,12 +121,12 @@ select-group = {{ grp }} {% endfor %} {% endif %} - +{% if http_security_headers is vyos_defined %} # HTTP security headers included-http-headers = Strict-Transport-Security: max-age=31536000 ; includeSubDomains included-http-headers = X-Frame-Options: deny included-http-headers = X-Content-Type-Options: nosniff -included-http-headers = Content-Security-Policy: default-src ´none´ +included-http-headers = Content-Security-Policy: default-src 'none' included-http-headers = X-Permitted-Cross-Domain-Policies: none included-http-headers = Referrer-Policy: no-referrer included-http-headers = Clear-Site-Data: "cache","cookies","storage" @@ -136,3 +136,4 @@ included-http-headers = Cross-Origin-Resource-Policy: same-origin included-http-headers = X-XSS-Protection: 0 included-http-headers = Pragma: no-cache included-http-headers = Cache-control: no-store, no-cache +{% endif %} diff --git a/interface-definitions/vpn-openconnect.xml.in b/interface-definitions/vpn-openconnect.xml.in index 75c64a99a..736084f8b 100644 --- a/interface-definitions/vpn-openconnect.xml.in +++ b/interface-definitions/vpn-openconnect.xml.in @@ -260,6 +260,12 @@ + + + Enable HTTP security headers + + + SSL Certificate, SSL Key and CA -- cgit v1.2.3