Security Hardening: Content Security Policy + more (#2108)

* Add CSP, varied security headers
2025-12-17 20:34:37 +03:00 · 2021-12-13 03:54:19 +00:00
parent 79e01589ca
commit b86c9fa8fe
4 changed files with 26 additions and 14 deletions
--- a/pkg/api/server.go
+++ b/pkg/api/server.go
@@ -54,6 +54,7 @@ func Start(uiBox embed.FS, loginUIBox embed.FS) {
 	if c.GetLogAccess() {
 		r.Use(middleware.Logger)
 	}
+	r.Use(SecurityHeadersMiddleware)
 	r.Use(middleware.DefaultCompress)
 	r.Use(middleware.StripSlashes)
 	r.Use(cors.AllowAll().Handler)
@@ -342,6 +343,28 @@ var (
 	BaseURLCtxKey = &contextKey{"BaseURL"}
 )

+func SecurityHeadersMiddleware(next http.Handler) http.Handler {
+	fn := func(w http.ResponseWriter, r *http.Request) {
+		c := config.GetInstance()
+		connectableOrigins := "connect-src data: 'self'"
+		if !c.IsNewSystem() && c.GetHandyKey() != "" {
+			connectableOrigins += " https://www.handyfeeling.com"
+		}
+		connectableOrigins += "; "
+
+		cspDirectives := "default-src data: 'self' 'unsafe-inline';" + connectableOrigins + "script-src 'self' 'unsafe-inline'; child-src 'none'; object-src 'none'; form-action 'none'"
+
+		w.Header().Set("Referrer-Policy", "same-origin")
+		w.Header().Set("X-Content-Type-Options", "nosniff")
+		w.Header().Set("X-Frame-Options", "DENY")
+		w.Header().Set("X-XSS-Protection", "1")
+		w.Header().Set("Content-Security-Policy", cspDirectives)
+
+		next.ServeHTTP(w, r)
+	}
+	return http.HandlerFunc(fn)
+}
+
 func BaseURLMiddleware(next http.Handler) http.Handler {
 	fn := func(w http.ResponseWriter, r *http.Request) {
 		ctx := r.Context()
--- a/ui/v2.5/index.html
+++ b/ui/v2.5/index.html
@@ -6,9 +6,9 @@
    <link rel="shortcut icon" href="/favicon.ico" />
    <meta
      name="viewport"
-      content="width=device-width, initial-scale=1"
+      content="width=device-width, initial-scale=1, maximum-scale=1"
    />
-    <meta name="theme-color" content="#000000" />
+    <meta name="theme-color" content="#202b33" />
    <!--
      manifest.json provides metadata used when your web app is installed on a
      user's mobile device or desktop. See https://developers.google.com/web/fundamentals/web-app-manifest/
--- a/ui/v2.5/src/index.html.ejs
+++ b/ui/v2.5/src/index.html.ejs
@@ -1,11 +0,0 @@
-<!DOCTYPE html>
-<html lang="en" dir="ltr">
-    <head>
-        <meta charset="UTF-8"/>
-        <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
-        <title>Stash</title>
-    </head>
-    <body>
-		<div id="root" className="Stash"></div>
-    </body>
-</html>
--- a/ui/v2.5/src/locales/en-GB.json
+++ b/ui/v2.5/src/locales/en-GB.json
@@ -401,7 +401,7 @@
        "heading": "Funscript Offset (ms)"
      },
      "handy_connection_key": {
-        "description": "Handy connection key to use for interactive scenes.",
+        "description": "Handy connection key to use for interactive scenes. Setting this key will allow Stash to share your current scene information with handyfeeling.com",
        "heading": "Handy Connection Key"
      },
      "images": {