Mirrors/stash
1
0
Fork 0
mirror of https://github.com/stashapp/stash.git synced 2025-12-17 20:34:37 +03:00
Code Issues Packages Projects Releases Wiki Activity

Security Hardening: Content Security Policy + more (#2108)

Browse Source 
* Add CSP, varied security headers
This commit is contained in:
kermieisinthehouse
2021-12-13 03:54:19 +00:00
committed by GitHub
parent 79e01589ca
commit b86c9fa8fe
4 changed files with 26 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
pkg/api/server.go
View File

@@ -54,6 +54,7 @@ func Start(uiBox embed.FS, loginUIBox embed.FS) {
if c.GetLogAccess() { if c.GetLogAccess() {
r.Use(middleware.Logger) r.Use(middleware.Logger)
} }
r.Use(SecurityHeadersMiddleware)
r.Use(middleware.DefaultCompress) r.Use(middleware.DefaultCompress)
r.Use(middleware.StripSlashes) r.Use(middleware.StripSlashes)
r.Use(cors.AllowAll().Handler) r.Use(cors.AllowAll().Handler)
@@ -342,6 +343,28 @@ var (
BaseURLCtxKey = &contextKey{"BaseURL"} BaseURLCtxKey = &contextKey{"BaseURL"}
) )
func SecurityHeadersMiddleware(next http.Handler) http.Handler {
fn := func(w http.ResponseWriter, r *http.Request) {
c := config.GetInstance()
connectableOrigins := "connect-src data: 'self'"
if !c.IsNewSystem() && c.GetHandyKey() != "" {
connectableOrigins += " https://www.handyfeeling.com"
}
connectableOrigins += "; "
cspDirectives := "default-src data: 'self' 'unsafe-inline';" + connectableOrigins + "script-src 'self' 'unsafe-inline'; child-src 'none'; object-src 'none'; form-action 'none'"
w.Header().Set("Referrer-Policy", "same-origin")
w.Header().Set("X-Content-Type-Options", "nosniff")
w.Header().Set("X-Frame-Options", "DENY")
w.Header().Set("X-XSS-Protection", "1")
w.Header().Set("Content-Security-Policy", cspDirectives)
next.ServeHTTP(w, r)
}
return http.HandlerFunc(fn)
}
func BaseURLMiddleware(next http.Handler) http.Handler { func BaseURLMiddleware(next http.Handler) http.Handler {
fn := func(w http.ResponseWriter, r *http.Request) { fn := func(w http.ResponseWriter, r *http.Request) {
ctx := r.Context() ctx := r.Context()

4
ui/v2.5/index.html
View File

@@ -6,9 +6,9 @@
<link rel="shortcut icon" href="/favicon.ico" /> <link rel="shortcut icon" href="/favicon.ico" />
<meta <meta
name="viewport" name="viewport"
content="width=device-width, initial-scale=1" content="width=device-width, initial-scale=1, maximum-scale=1"
/> />
<meta name="theme-color" content="#000000" /> <meta name="theme-color" content="#202b33" />
<!-- <!--
manifest.json provides metadata used when your web app is installed on a manifest.json provides metadata used when your web app is installed on a
user's mobile device or desktop. See https://developers.google.com/web/fundamentals/web-app-manifest/ user's mobile device or desktop. See https://developers.google.com/web/fundamentals/web-app-manifest/

11
ui/v2.5/src/index.html.ejs
View File

@@ -1,11 +0,0 @@
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="UTF-8"/>
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<title>Stash</title>
</head>
<body>
<div id="root" className="Stash"></div>
</body>
</html>

2
ui/v2.5/src/locales/en-GB.json
View File

@@ -401,7 +401,7 @@
"heading": "Funscript Offset (ms)" "heading": "Funscript Offset (ms)"
}, },
"handy_connection_key": { "handy_connection_key": {
"description": "Handy connection key to use for interactive scenes.", "description": "Handy connection key to use for interactive scenes. Setting this key will allow Stash to share your current scene information with handyfeeling.com",
"heading": "Handy Connection Key" "heading": "Handy Connection Key"
}, },
"images": { "images": {