From 4028f33b111bb4e66493732d9c99f1f6a6fb1744 Mon Sep 17 00:00:00 2001
From: Joseph Reynolds <jrey@us.ibm.com>
Date: Thu, 30 Aug 2018 21:39:37 -0500
Subject: Nginx adds http security headers

Nginx now adds security-related headers to HTTP responses per
https://www.owasp.org/index.php/OWASP_Secure_Headers_Project
and consistent with openbmc/bmcweb (see header file
include/security_headers_middleware.hpp).

Tested:
 curl -D headers http://${bmc}
   redirects to https
   No security headers apply, and none are sent
 curl https://${bmc}
   contains security headers and works properly
 curl https://${bmc}/xyz/openbmc_project/software
   contains Strict-Transport-Security header, and works
 curl ... -X POST -T ${image} https://${bmc}/upload/image"
   works
 firefox http redirects to https
 firefox https://${bmc}/ logs in and works

Resolves openbmc/openbmc#3195

(From meta-ibm rev: 8202b2639cba28a71640db48e38f6b7f1d3eaed0)

Change-Id: Ie20169abbca02471fa5dc89bebba8a6cdf722cd6
Signed-off-by: Joseph Reynolds <jrey@us.ibm.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
---
 meta-ibm/recipes-httpd/nginx/files/nginx.conf | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'meta-ibm/recipes-httpd')

diff --git a/meta-ibm/recipes-httpd/nginx/files/nginx.conf b/meta-ibm/recipes-httpd/nginx/files/nginx.conf
index 5313f508f..be7faf92f 100644
--- a/meta-ibm/recipes-httpd/nginx/files/nginx.conf
+++ b/meta-ibm/recipes-httpd/nginx/files/nginx.conf
@@ -14,6 +14,8 @@ events {
 # Note that a lot of these settings come from the OWASP Secure
 # Configuration guide for nginx
 # https://www.owasp.org/index.php/SCG_WS_nginx
+# and the OWASP Secure Headers project
+# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project
 # and the mozilla security guidelines
 # https://wiki.mozilla.org/Security/Server_Side_TLS
 
@@ -64,6 +66,8 @@ http {
         ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";
         ssl_prefer_server_ciphers   on;
 
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
+
         location / {
                 # This location lets us serve the static pre-compressed webui
                 # content (rooted at /usr/share/www). Also if the URI points to
@@ -80,6 +84,15 @@ http {
                 gunzip on;
                 gzip_static always;
                 try_files $uri $uri/ @rest_server;
+
+                add_header X-Frame-Options deny;
+                add_header X-XSS-Protection "1; mode=block";
+                add_header X-Content-Type-Options nosniff;
+                add_header Content-Security-Policy "frame-ancestors 'none'; default-src 'self' 'unsafe-eval' 'unsafe-inline'";
+                add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
+                add_header Cache-Control "no-store,no-cache";
+                add_header Pragma "no-cache";
+                add_header Expires 0;
         }
         location @rest_server {
                 # Use 127.0.0.1 instead of localhost since nginx will
-- 
cgit v1.2.3