From 657c4c2939cad5f76099168364270d3b33c4b317 Mon Sep 17 00:00:00 2001 From: Ylian Saint-Hilaire Date: Fri, 25 Jun 2021 13:11:16 -0700 Subject: [PATCH] Added Strict-Transport-Security HTTP header by default. --- meshcentral-config-schema.json | 1 + webserver.js | 1 + 2 files changed, 2 insertions(+) diff --git a/meshcentral-config-schema.json b/meshcentral-config-schema.json index fd89330f..ff47ad81 100644 --- a/meshcentral-config-schema.json +++ b/meshcentral-config-schema.json @@ -89,6 +89,7 @@ "ignoreAgentHashCheck": { "type": [ "boolean", "string" ], "default": false, "description": "When true, the agent no longer checked the TLS certificate of the server. This should be used for debugging only. You can also set this to a comma seperated list of IP addresses to ignore, for example: \"192.168.2.100,192.168.1.0/24\"." }, "exactPorts": { "type": "boolean", "default": false }, "allowLoginToken": { "type": "boolean", "default": false }, + "StrictTransportSecurity": { "type": ["boolean", "string"], "default": true, "description": "Controls the Strict-Transport-Security header, default is 1 year. Set to false to remove, or string to set a custom value." }, "allowFraming": { "type": "boolean", "default": false, "description": "When enabled, the MeshCentral web site can be embedded within another website's iframe." }, "cookieIpCheck": { "type": "boolean" }, "cookieEncoding": { "type": "string", "enum": [ "hex", "base64" ], "default": "base64", "description": "Encoding format of cookies in the HTTP headers, this is typically Base64 but some reverse proxies will require HEX." }, diff --git a/webserver.js b/webserver.js index 836ffe13..d4946d0d 100644 --- a/webserver.js +++ b/webserver.js @@ -5459,6 +5459,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { 'Content-Security-Policy': "default-src 'none'; font-src 'self'; script-src 'self' 'unsafe-inline'" + extraScriptSrc + "; connect-src 'self'" + geourl + selfurl + "; img-src 'self' blob: data:" + geourl + " data:; style-src 'self' 'unsafe-inline'; frame-src 'self' mcrouter:; media-src 'self'; form-action 'self'" }; if ((parent.config.settings.allowframing !== true) && (typeof parent.config.settings.allowframing !== 'string')) { headers['X-Frame-Options'] = 'sameorigin'; } + if (parent.config.settings.stricttransportsecurity !== false) { if (typeof parent.config.settings.stricttransportsecurity == 'string') { headers['Strict-Transport-Security'] = parent.config.settings.stricttransportsecurity; } else { headers['Strict-Transport-Security'] = 'max-age=63072000'; } } res.set(headers); }