From 1f6f8d5e0ff5457f48dcad3b0f091fcce6d82159 Mon Sep 17 00:00:00 2001 From: Michael Date: Fri, 2 Mar 2018 14:24:03 +0100 Subject: [PATCH] New option in secure middleware --- autogen/gentemplates/gen.go | 9 +++++++++ docs/configuration/backends/consulcatalog.md | 1 + docs/configuration/backends/docker.md | 2 ++ docs/configuration/backends/ecs.md | 1 + docs/configuration/backends/kubernetes.md | 1 + docs/configuration/backends/marathon.md | 2 ++ docs/configuration/backends/mesos.md | 1 + docs/configuration/backends/rancher.md | 1 + middlewares/secure.go | 1 + provider/consulcatalog/consul_catalog_config.go | 1 + provider/consulcatalog/consul_catalog_config_test.go | 2 ++ provider/docker/config_container.go | 1 + provider/docker/config_container_docker_test.go | 4 ++++ provider/docker/config_container_swarm_test.go | 2 ++ provider/docker/config_service.go | 1 + provider/docker/config_service_test.go | 6 ++++++ provider/ecs/config.go | 1 + provider/ecs/config_test.go | 4 ++++ provider/kubernetes/annotations.go | 1 + provider/kubernetes/kubernetes.go | 1 + provider/kubernetes/kubernetes_test.go | 2 ++ provider/kv/keynames.go | 1 + provider/kv/kv_config.go | 1 + provider/kv/kv_config_test.go | 12 ++++++++++++ provider/label/names.go | 2 ++ provider/marathon/config.go | 1 + provider/marathon/config_test.go | 8 ++++++++ provider/mesos/config.go | 1 + provider/mesos/config_test.go | 4 ++++ provider/rancher/config.go | 1 + provider/rancher/config_test.go | 4 ++++ templates/consul_catalog.tmpl | 1 + templates/docker.tmpl | 2 ++ templates/ecs.tmpl | 1 + templates/kubernetes.tmpl | 1 + templates/kv.tmpl | 1 + templates/marathon.tmpl | 1 + templates/mesos.tmpl | 1 + templates/rancher.tmpl | 1 + types/types.go | 2 ++ 40 files changed, 91 insertions(+) diff --git a/autogen/gentemplates/gen.go b/autogen/gentemplates/gen.go index e21bd0d70..ef6d3a10a 100644 --- a/autogen/gentemplates/gen.go +++ b/autogen/gentemplates/gen.go @@ -183,6 +183,7 @@ var _templatesConsul_catalogTmpl = []byte(`[backends] CustomFrameOptionsValue = "{{ $headers.CustomFrameOptionsValue }}" ContentTypeNosniff = {{ $headers.ContentTypeNosniff }} BrowserXSSFilter = {{ $headers.BrowserXSSFilter }} + CustomBrowserXSSValue = "{{ $headers.CustomBrowserXSSValue }}" ContentSecurityPolicy = "{{ $headers.ContentSecurityPolicy }}" PublicKey = "{{ $headers.PublicKey }}" ReferrerPolicy = "{{ $headers.ReferrerPolicy }}" @@ -387,6 +388,7 @@ var _templatesDockerTmpl = []byte(`{{$backendServers := .Servers}} CustomFrameOptionsValue = "{{ $headers.CustomFrameOptionsValue }}" ContentTypeNosniff = {{ $headers.ContentTypeNosniff }} BrowserXSSFilter = {{ $headers.BrowserXSSFilter }} + CustomBrowserXSSValue = "{{ $headers.CustomBrowserXSSValue }}" ContentSecurityPolicy = "{{ $headers.ContentSecurityPolicy }}" PublicKey = "{{ $headers.PublicKey }}" ReferrerPolicy = "{{ $headers.ReferrerPolicy }}" @@ -503,6 +505,7 @@ var _templatesDockerTmpl = []byte(`{{$backendServers := .Servers}} CustomFrameOptionsValue = "{{ $headers.CustomFrameOptionsValue }}" ContentTypeNosniff = {{ $headers.ContentTypeNosniff }} BrowserXSSFilter = {{ $headers.BrowserXSSFilter }} + CustomBrowserXSSValue = "{{ $headers.CustomBrowserXSSValue }}" ContentSecurityPolicy = "{{ $headers.ContentSecurityPolicy }}" PublicKey = "{{ $headers.PublicKey }}" ReferrerPolicy = "{{ $headers.ReferrerPolicy }}" @@ -694,6 +697,7 @@ var _templatesEcsTmpl = []byte(`[backends] CustomFrameOptionsValue = "{{ $headers.CustomFrameOptionsValue }}" ContentTypeNosniff = {{ $headers.ContentTypeNosniff }} BrowserXSSFilter = {{ $headers.BrowserXSSFilter }} + CustomBrowserXSSValue = "{{ $headers.CustomBrowserXSSValue }}" ContentSecurityPolicy = "{{ $headers.ContentSecurityPolicy }}" PublicKey = "{{ $headers.PublicKey }}" ReferrerPolicy = "{{ $headers.ReferrerPolicy }}" @@ -901,6 +905,7 @@ var _templatesKubernetesTmpl = []byte(`[backends] CustomFrameOptionsValue = "{{ $frontend.Headers.CustomFrameOptionsValue }}" ContentTypeNosniff = {{ $frontend.Headers.ContentTypeNosniff }} BrowserXSSFilter = {{ $frontend.Headers.BrowserXSSFilter }} + CustomBrowserXSSValue = "{{ $frontend.Headers.CustomBrowserXSSValue }}" ContentSecurityPolicy = "{{ $frontend.Headers.ContentSecurityPolicy }}" PublicKey = "{{ $frontend.Headers.PublicKey }}" ReferrerPolicy = "{{ $frontend.Headers.ReferrerPolicy }}" @@ -1096,6 +1101,7 @@ var _templatesKvTmpl = []byte(`[backends] CustomFrameOptionsValue = "{{ $headers.CustomFrameOptionsValue }}" ContentTypeNosniff = {{ $headers.ContentTypeNosniff }} BrowserXSSFilter = {{ $headers.BrowserXSSFilter }} + CustomBrowserXSSValue = "{{ $headers.CustomBrowserXSSValue }}" ContentSecurityPolicy = "{{ $headers.ContentSecurityPolicy }}" PublicKey = "{{ $headers.PublicKey }}" ReferrerPolicy = "{{ $headers.ReferrerPolicy }}" @@ -1306,6 +1312,7 @@ var _templatesMarathonTmpl = []byte(`{{ $apps := .Applications }} CustomFrameOptionsValue = "{{ $headers.CustomFrameOptionsValue }}" ContentTypeNosniff = {{ $headers.ContentTypeNosniff }} BrowserXSSFilter = {{ $headers.BrowserXSSFilter }} + CustomBrowserXSSValue = "{{ $headers.CustomBrowserXSSValue }}" ContentSecurityPolicy = "{{ $headers.ContentSecurityPolicy }}" PublicKey = "{{ $headers.PublicKey }}" ReferrerPolicy = "{{ $headers.ReferrerPolicy }}" @@ -1498,6 +1505,7 @@ var _templatesMesosTmpl = []byte(`[backends] CustomFrameOptionsValue = "{{ $headers.CustomFrameOptionsValue }}" ContentTypeNosniff = {{ $headers.ContentTypeNosniff }} BrowserXSSFilter = {{ $headers.BrowserXSSFilter }} + CustomBrowserXSSValue = "{{ $headers.CustomBrowserXSSValue }}" ContentSecurityPolicy = "{{ $headers.ContentSecurityPolicy }}" PublicKey = "{{ $headers.PublicKey }}" ReferrerPolicy = "{{ $headers.ReferrerPolicy }}" @@ -1711,6 +1719,7 @@ var _templatesRancherTmpl = []byte(`{{ $backendServers := .Backends }} CustomFrameOptionsValue = "{{ $headers.CustomFrameOptionsValue }}" ContentTypeNosniff = {{ $headers.ContentTypeNosniff }} BrowserXSSFilter = {{ $headers.BrowserXSSFilter }} + CustomBrowserXSSValue = "{{ $headers.CustomBrowserXSSValue }}" ContentSecurityPolicy = "{{ $headers.ContentSecurityPolicy }}" PublicKey = "{{ $headers.PublicKey }}" ReferrerPolicy = "{{ $headers.ReferrerPolicy }}" diff --git a/docs/configuration/backends/consulcatalog.md b/docs/configuration/backends/consulcatalog.md index 4dfd5e953..0d403e260 100644 --- a/docs/configuration/backends/consulcatalog.md +++ b/docs/configuration/backends/consulcatalog.md @@ -143,6 +143,7 @@ Additional settings can be defined using Consul Catalog tags. | `.frontend.headers.customFrameOptionsValue=VALUE` | Overrides the `X-Frame-Options` header with the custom value. | | `.frontend.headers.contentTypeNosniff=true` | Adds the `X-Content-Type-Options` header with the value `nosniff`. | | `.frontend.headers.browserXSSFilter=true` | Adds the X-XSS-Protection header with the value `1; mode=block`. | +| `.frontend.headers.customBrowserXSSValue=VALUE` | Set custom value for X-XSS-Protection header. This overrides the BrowserXssFilter option. | | `.frontend.headers.contentSecurityPolicy=VALUE` | Adds CSP Header with the custom value. | | `.frontend.headers.publicKey=VALUE` | Adds pinned HTST public key header. | | `.frontend.headers.referrerPolicy=VALUE` | Adds referrer policy header. | diff --git a/docs/configuration/backends/docker.md b/docs/configuration/backends/docker.md index 119142e34..f587078e8 100644 --- a/docs/configuration/backends/docker.md +++ b/docs/configuration/backends/docker.md @@ -231,6 +231,7 @@ Labels can be used on containers to override default behaviour. | `traefik.frontend.headers.customFrameOptionsValue=VALUE` | Overrides the `X-Frame-Options` header with the custom value. | | `traefik.frontend.headers.contentTypeNosniff=true` | Adds the `X-Content-Type-Options` header with the value `nosniff`. | | `traefik.frontend.headers.browserXSSFilter=true` | Adds the X-XSS-Protection header with the value `1; mode=block`. | +| `traefik.frontend.headers.customBrowserXSSValue=VALUE` | Set custom value for X-XSS-Protection header. This overrides the BrowserXssFilter option. | | `traefik.frontend.headers.contentSecurityPolicy=VALUE` | Adds CSP Header with the custom value. | | `traefik.frontend.headers.publicKey=VALUE` | Adds pinned HTST public key header. | | `traefik.frontend.headers.referrerPolicy=VALUE` | Adds referrer policy header. | @@ -290,6 +291,7 @@ Services labels can be used for overriding default behaviour | `traefik..frontend.headers.customFrameOptionsValue=VALUE` | Overrides the `X-Frame-Options` header with the custom value. | | `traefik..frontend.headers.contentTypeNosniff=true` | Adds the `X-Content-Type-Options` header with the value `nosniff`. | | `traefik..frontend.headers.browserXSSFilter=true` | Adds the X-XSS-Protection header with the value `1; mode=block`. | +| `traefik..frontend.headers.customBrowserXSSValue=VALUE` | Set custom value for X-XSS-Protection header. This overrides the BrowserXssFilter option. | | `traefik..frontend.headers.contentSecurityPolicy=VALUE` | Adds CSP Header with the custom value. | | `traefik..frontend.headers.publicKey=VALUE` | Adds pinned HTST public key header. | | `traefik..frontend.headers.referrerPolicy=VALUE` | Adds referrer policy header. | diff --git a/docs/configuration/backends/ecs.md b/docs/configuration/backends/ecs.md index de0555e07..d884b338b 100644 --- a/docs/configuration/backends/ecs.md +++ b/docs/configuration/backends/ecs.md @@ -191,6 +191,7 @@ Labels can be used on task containers to override default behaviour: | `traefik.frontend.headers.customFrameOptionsValue=VALUE` | Overrides the `X-Frame-Options` header with the custom value. | | `traefik.frontend.headers.contentTypeNosniff=true` | Adds the `X-Content-Type-Options` header with the value `nosniff`. | | `traefik.frontend.headers.browserXSSFilter=true` | Adds the X-XSS-Protection header with the value `1; mode=block`. | +| `traefik.frontend.headers.customBrowserXSSValue=VALUE` | Set custom value for X-XSS-Protection header. This overrides the BrowserXssFilter option. | | `traefik.frontend.headers.contentSecurityPolicy=VALUE` | Adds CSP Header with the custom value. | | `traefik.frontend.headers.publicKey=VALUE` | Adds pinned HTST public key header. | | `traefik.frontend.headers.referrerPolicy=VALUE` | Adds referrer policy header. | diff --git a/docs/configuration/backends/kubernetes.md b/docs/configuration/backends/kubernetes.md index 062f9374d..b63cbde28 100644 --- a/docs/configuration/backends/kubernetes.md +++ b/docs/configuration/backends/kubernetes.md @@ -220,6 +220,7 @@ The following security annotations are applicable on the Ingress object: | `ingress.kubernetes.io/custom-frame-options-value: VALUE` | Overrides the `X-Frame-Options` header with the custom value. | | `ingress.kubernetes.io/content-type-nosniff: "true"` | Adds the `X-Content-Type-Options` header with the value `nosniff`. | | `ingress.kubernetes.io/browser-xss-filter: "true"` | Adds the X-XSS-Protection header with the value `1; mode=block`. | +| `ingress.kubernetes.io/custom-browser-xss-value: VALUE` | Set custom value for X-XSS-Protection header. This overrides the BrowserXssFilter option. | | `ingress.kubernetes.io/content-security-policy: VALUE` | Adds CSP Header with the custom value. | | `ingress.kubernetes.io/public-key: VALUE` | Adds pinned HTST public key header. | | `ingress.kubernetes.io/referrer-policy: VALUE` | Adds referrer policy header. | diff --git a/docs/configuration/backends/marathon.md b/docs/configuration/backends/marathon.md index c982bb557..88d8281ce 100644 --- a/docs/configuration/backends/marathon.md +++ b/docs/configuration/backends/marathon.md @@ -229,6 +229,7 @@ The following labels can be defined on Marathon applications. They adjust the be | `traefik.frontend.headers.customFrameOptionsValue=VALUE` | Overrides the `X-Frame-Options` header with the custom value. | | `traefik.frontend.headers.contentTypeNosniff=true` | Adds the `X-Content-Type-Options` header with the value `nosniff`. | | `traefik.frontend.headers.browserXSSFilter=true` | Adds the X-XSS-Protection header with the value `1; mode=block`. | +| `traefik.frontend.headers.customBrowserXSSValue=VALUE` | Set custom value for X-XSS-Protection header. This overrides the BrowserXssFilter option. | | `traefik.frontend.headers.contentSecurityPolicy=VALUE` | Adds CSP Header with the custom value. | | `traefik.frontend.headers.publicKey=VALUE` | Adds pinned HTST public key header. | | `traefik.frontend.headers.referrerPolicy=VALUE` | Adds referrer policy header. | @@ -289,6 +290,7 @@ For applications that expose multiple ports, specific labels can be used to extr | `traefik..frontend.headers.customFrameOptionsValue=VALUE` | Overrides the `X-Frame-Options` header with the custom value. | | `traefik..frontend.headers.contentTypeNosniff=true` | Adds the `X-Content-Type-Options` header with the value `nosniff`. | | `traefik..frontend.headers.browserXSSFilter=true` | Adds the X-XSS-Protection header with the value `1; mode=block`. | +| `traefik..frontend.headers.customBrowserXSSValue=VALUE` | Set custom value for X-XSS-Protection header. This overrides the BrowserXssFilter option. | | `traefik..frontend.headers.contentSecurityPolicy=VALUE` | Adds CSP Header with the custom value. | | `traefik..frontend.headers.publicKey=VALUE` | Adds pinned HTST public key header. | | `traefik..frontend.headers.referrerPolicy=VALUE` | Adds referrer policy header. | diff --git a/docs/configuration/backends/mesos.md b/docs/configuration/backends/mesos.md index 2d4ec97df..411c8c110 100644 --- a/docs/configuration/backends/mesos.md +++ b/docs/configuration/backends/mesos.md @@ -163,6 +163,7 @@ The following labels can be defined on Mesos tasks. They adjust the behaviour fo | `traefik.frontend.headers.customFrameOptionsValue=VALUE` | Overrides the `X-Frame-Options` header with the custom value. | | `traefik.frontend.headers.contentTypeNosniff=true` | Adds the `X-Content-Type-Options` header with the value `nosniff`. | | `traefik.frontend.headers.browserXSSFilter=true` | Adds the X-XSS-Protection header with the value `1; mode=block`. | +| `traefik.frontend.headers.customBrowserXSSValue=VALUE` | Set custom value for X-XSS-Protection header. This overrides the BrowserXssFilter option. | | `traefik.frontend.headers.contentSecurityPolicy=VALUE` | Adds CSP Header with the custom value. | | `traefik.frontend.headers.publicKey=VALUE` | Adds pinned HTST public key header. | | `traefik.frontend.headers.referrerPolicy=VALUE` | Adds referrer policy header. | diff --git a/docs/configuration/backends/rancher.md b/docs/configuration/backends/rancher.md index 76baa282c..d93000dc2 100644 --- a/docs/configuration/backends/rancher.md +++ b/docs/configuration/backends/rancher.md @@ -187,6 +187,7 @@ Labels can be used on task containers to override default behaviour: | `traefik.frontend.headers.customFrameOptionsValue=VALUE` | Overrides the `X-Frame-Options` header with the custom value. | | `traefik.frontend.headers.contentTypeNosniff=true` | Adds the `X-Content-Type-Options` header with the value `nosniff`. | | `traefik.frontend.headers.browserXSSFilter=true` | Adds the X-XSS-Protection header with the value `1; mode=block`. | +| `traefik.frontend.headers.customBrowserXSSValue=VALUE` | Set custom value for X-XSS-Protection header. This overrides the BrowserXssFilter option. | | `traefik.frontend.headers.contentSecurityPolicy=VALUE` | Adds CSP Header with the custom value. | | `traefik.frontend.headers.publicKey=VALUE` | Adds pinned HTST public key header. | | `traefik.frontend.headers.referrerPolicy=VALUE` | Adds referrer policy header. | diff --git a/middlewares/secure.go b/middlewares/secure.go index f012143ba..aedd228ab 100644 --- a/middlewares/secure.go +++ b/middlewares/secure.go @@ -26,6 +26,7 @@ func NewSecure(headers *types.Headers) *secure.Secure { CustomFrameOptionsValue: headers.CustomFrameOptionsValue, ContentTypeNosniff: headers.ContentTypeNosniff, BrowserXssFilter: headers.BrowserXSSFilter, + CustomBrowserXssValue: headers.CustomBrowserXSSValue, ContentSecurityPolicy: headers.ContentSecurityPolicy, PublicKey: headers.PublicKey, ReferrerPolicy: headers.ReferrerPolicy, diff --git a/provider/consulcatalog/consul_catalog_config.go b/provider/consulcatalog/consul_catalog_config.go index 779fa5837..71e309c81 100644 --- a/provider/consulcatalog/consul_catalog_config.go +++ b/provider/consulcatalog/consul_catalog_config.go @@ -368,6 +368,7 @@ func (p *Provider) getHeaders(tags []string) *types.Headers { ContentSecurityPolicy: p.getAttribute(label.SuffixFrontendHeadersContentSecurityPolicy, tags, ""), PublicKey: p.getAttribute(label.SuffixFrontendHeadersPublicKey, tags, ""), ReferrerPolicy: p.getAttribute(label.SuffixFrontendHeadersReferrerPolicy, tags, ""), + CustomBrowserXSSValue: p.getAttribute(label.SuffixFrontendHeadersCustomBrowserXSSValue, tags, ""), STSSeconds: p.getInt64Attribute(label.SuffixFrontendHeadersSTSSeconds, tags, 0), SSLRedirect: p.getBoolAttribute(label.SuffixFrontendHeadersSSLRedirect, tags, false), SSLTemporaryRedirect: p.getBoolAttribute(label.SuffixFrontendHeadersSSLTemporaryRedirect, tags, false), diff --git a/provider/consulcatalog/consul_catalog_config_test.go b/provider/consulcatalog/consul_catalog_config_test.go index ac93d8418..b51b41d99 100644 --- a/provider/consulcatalog/consul_catalog_config_test.go +++ b/provider/consulcatalog/consul_catalog_config_test.go @@ -1268,6 +1268,7 @@ func TestProviderGetHeaders(t *testing.T) { label.TraefikFrontendContentSecurityPolicy + "=foo", label.TraefikFrontendPublicKey + "=foo", label.TraefikFrontendReferrerPolicy + "=foo", + label.TraefikFrontendCustomBrowserXSSValue + "=foo", label.TraefikFrontendSTSSeconds + "=666", label.TraefikFrontendSSLRedirect + "=true", label.TraefikFrontendSSLTemporaryRedirect + "=true", @@ -1299,6 +1300,7 @@ func TestProviderGetHeaders(t *testing.T) { ContentSecurityPolicy: "foo", PublicKey: "foo", ReferrerPolicy: "foo", + CustomBrowserXSSValue: "foo", STSSeconds: 666, SSLRedirect: true, SSLTemporaryRedirect: true, diff --git a/provider/docker/config_container.go b/provider/docker/config_container.go index 22af65701..b6fcb28e1 100644 --- a/provider/docker/config_container.go +++ b/provider/docker/config_container.go @@ -292,6 +292,7 @@ func getHeaders(container dockerData) *types.Headers { ContentSecurityPolicy: label.GetStringValue(container.Labels, label.TraefikFrontendContentSecurityPolicy, ""), PublicKey: label.GetStringValue(container.Labels, label.TraefikFrontendPublicKey, ""), ReferrerPolicy: label.GetStringValue(container.Labels, label.TraefikFrontendReferrerPolicy, ""), + CustomBrowserXSSValue: label.GetStringValue(container.Labels, label.TraefikFrontendCustomBrowserXSSValue, ""), } if !headers.HasSecureHeadersDefined() && !headers.HasCustomHeadersDefined() { diff --git a/provider/docker/config_container_docker_test.go b/provider/docker/config_container_docker_test.go index 38af1d461..6feb82da0 100644 --- a/provider/docker/config_container_docker_test.go +++ b/provider/docker/config_container_docker_test.go @@ -136,6 +136,7 @@ func TestDockerBuildConfiguration(t *testing.T) { label.TraefikFrontendContentSecurityPolicy: "foo", label.TraefikFrontendPublicKey: "foo", label.TraefikFrontendReferrerPolicy: "foo", + label.TraefikFrontendCustomBrowserXSSValue: "foo", label.TraefikFrontendSTSSeconds: "666", label.TraefikFrontendSSLRedirect: "true", label.TraefikFrontendSSLTemporaryRedirect: "true", @@ -224,6 +225,7 @@ func TestDockerBuildConfiguration(t *testing.T) { CustomFrameOptionsValue: "foo", ContentTypeNosniff: true, BrowserXSSFilter: true, + CustomBrowserXSSValue: "foo", ContentSecurityPolicy: "foo", PublicKey: "foo", ReferrerPolicy: "foo", @@ -1541,6 +1543,7 @@ func TestDockerGetHeaders(t *testing.T) { label.TraefikFrontendContentSecurityPolicy: "foo", label.TraefikFrontendPublicKey: "foo", label.TraefikFrontendReferrerPolicy: "foo", + label.TraefikFrontendCustomBrowserXSSValue: "foo", label.TraefikFrontendSTSSeconds: "666", label.TraefikFrontendSSLRedirect: "true", label.TraefikFrontendSSLTemporaryRedirect: "true", @@ -1573,6 +1576,7 @@ func TestDockerGetHeaders(t *testing.T) { ContentSecurityPolicy: "foo", PublicKey: "foo", ReferrerPolicy: "foo", + CustomBrowserXSSValue: "foo", STSSeconds: 666, SSLRedirect: true, SSLTemporaryRedirect: true, diff --git a/provider/docker/config_container_swarm_test.go b/provider/docker/config_container_swarm_test.go index 6e4be3f1f..08bbfb5fe 100644 --- a/provider/docker/config_container_swarm_test.go +++ b/provider/docker/config_container_swarm_test.go @@ -143,6 +143,7 @@ func TestSwarmBuildConfiguration(t *testing.T) { label.TraefikFrontendContentSecurityPolicy: "foo", label.TraefikFrontendPublicKey: "foo", label.TraefikFrontendReferrerPolicy: "foo", + label.TraefikFrontendCustomBrowserXSSValue: "foo", label.TraefikFrontendSTSSeconds: "666", label.TraefikFrontendSSLRedirect: "true", label.TraefikFrontendSSLTemporaryRedirect: "true", @@ -229,6 +230,7 @@ func TestSwarmBuildConfiguration(t *testing.T) { CustomFrameOptionsValue: "foo", ContentTypeNosniff: true, BrowserXSSFilter: true, + CustomBrowserXSSValue: "foo", ContentSecurityPolicy: "foo", PublicKey: "foo", ReferrerPolicy: "foo", diff --git a/provider/docker/config_service.go b/provider/docker/config_service.go index 5c79dafe4..439516adb 100644 --- a/provider/docker/config_service.go +++ b/provider/docker/config_service.go @@ -169,6 +169,7 @@ func getServiceHeaders(container dockerData, serviceName string) *types.Headers ContentSecurityPolicy: getServiceStringValue(container, serviceLabels, label.SuffixFrontendHeadersContentSecurityPolicy, ""), PublicKey: getServiceStringValue(container, serviceLabels, label.SuffixFrontendHeadersPublicKey, ""), ReferrerPolicy: getServiceStringValue(container, serviceLabels, label.SuffixFrontendHeadersReferrerPolicy, ""), + CustomBrowserXSSValue: getServiceStringValue(container, serviceLabels, label.SuffixFrontendHeadersCustomBrowserXSSValue, ""), } if !headers.HasSecureHeadersDefined() && !headers.HasCustomHeadersDefined() { diff --git a/provider/docker/config_service_test.go b/provider/docker/config_service_test.go index 7d549204e..56a1c7715 100644 --- a/provider/docker/config_service_test.go +++ b/provider/docker/config_service_test.go @@ -99,6 +99,7 @@ func TestDockerServiceBuildConfiguration(t *testing.T) { label.Prefix + "service." + label.SuffixFrontendHeadersContentSecurityPolicy: "foo", label.Prefix + "service." + label.SuffixFrontendHeadersPublicKey: "foo", label.Prefix + "service." + label.SuffixFrontendHeadersReferrerPolicy: "foo", + label.Prefix + "service." + label.SuffixFrontendHeadersCustomBrowserXSSValue: "foo", label.Prefix + "service." + label.SuffixFrontendHeadersSTSSeconds: "666", label.Prefix + "service." + label.SuffixFrontendHeadersSSLRedirect: "true", label.Prefix + "service." + label.SuffixFrontendHeadersSSLTemporaryRedirect: "true", @@ -182,6 +183,7 @@ func TestDockerServiceBuildConfiguration(t *testing.T) { CustomFrameOptionsValue: "foo", ContentTypeNosniff: true, BrowserXSSFilter: true, + CustomBrowserXSSValue: "foo", ContentSecurityPolicy: "foo", PublicKey: "foo", ReferrerPolicy: "foo", @@ -1118,6 +1120,7 @@ func TestDockerGetServiceHeaders(t *testing.T) { label.Prefix + service + "." + label.SuffixFrontendHeadersContentSecurityPolicy: "foo", label.Prefix + service + "." + label.SuffixFrontendHeadersPublicKey: "foo", label.Prefix + service + "." + label.SuffixFrontendHeadersReferrerPolicy: "foo", + label.Prefix + service + "." + label.SuffixFrontendHeadersCustomBrowserXSSValue: "foo", label.Prefix + service + "." + label.SuffixFrontendHeadersSTSSeconds: "666", label.Prefix + service + "." + label.SuffixFrontendHeadersSSLRedirect: "true", label.Prefix + service + "." + label.SuffixFrontendHeadersSSLTemporaryRedirect: "true", @@ -1150,6 +1153,7 @@ func TestDockerGetServiceHeaders(t *testing.T) { ContentSecurityPolicy: "foo", PublicKey: "foo", ReferrerPolicy: "foo", + CustomBrowserXSSValue: "foo", STSSeconds: 666, SSLRedirect: true, SSLTemporaryRedirect: true, @@ -1177,6 +1181,7 @@ func TestDockerGetServiceHeaders(t *testing.T) { label.TraefikFrontendContentSecurityPolicy: "foo", label.TraefikFrontendPublicKey: "foo", label.TraefikFrontendReferrerPolicy: "foo", + label.TraefikFrontendCustomBrowserXSSValue: "foo", label.TraefikFrontendSTSSeconds: "666", label.TraefikFrontendSSLRedirect: "true", label.TraefikFrontendSSLTemporaryRedirect: "true", @@ -1209,6 +1214,7 @@ func TestDockerGetServiceHeaders(t *testing.T) { ContentSecurityPolicy: "foo", PublicKey: "foo", ReferrerPolicy: "foo", + CustomBrowserXSSValue: "foo", STSSeconds: 666, SSLRedirect: true, SSLTemporaryRedirect: true, diff --git a/provider/ecs/config.go b/provider/ecs/config.go index 5f36f9430..6aa4d083f 100644 --- a/provider/ecs/config.go +++ b/provider/ecs/config.go @@ -281,6 +281,7 @@ func getHeaders(instance ecsInstance) *types.Headers { ContentSecurityPolicy: getStringValue(instance, label.TraefikFrontendContentSecurityPolicy, ""), PublicKey: getStringValue(instance, label.TraefikFrontendPublicKey, ""), ReferrerPolicy: getStringValue(instance, label.TraefikFrontendReferrerPolicy, ""), + CustomBrowserXSSValue: getStringValue(instance, label.TraefikFrontendCustomBrowserXSSValue, ""), } if !headers.HasSecureHeadersDefined() && !headers.HasCustomHeadersDefined() { diff --git a/provider/ecs/config_test.go b/provider/ecs/config_test.go index ecc344daf..f1d981607 100644 --- a/provider/ecs/config_test.go +++ b/provider/ecs/config_test.go @@ -164,6 +164,7 @@ func TestBuildConfiguration(t *testing.T) { label.TraefikFrontendContentSecurityPolicy: aws.String("foo"), label.TraefikFrontendPublicKey: aws.String("foo"), label.TraefikFrontendReferrerPolicy: aws.String("foo"), + label.TraefikFrontendCustomBrowserXSSValue: aws.String("foo"), label.TraefikFrontendSTSSeconds: aws.String("666"), label.TraefikFrontendSSLRedirect: aws.String("true"), label.TraefikFrontendSSLTemporaryRedirect: aws.String("true"), @@ -293,6 +294,7 @@ func TestBuildConfiguration(t *testing.T) { CustomFrameOptionsValue: "foo", ContentTypeNosniff: true, BrowserXSSFilter: true, + CustomBrowserXSSValue: "foo", ContentSecurityPolicy: "foo", PublicKey: "foo", ReferrerPolicy: "foo", @@ -1394,6 +1396,7 @@ func TestGetHeaders(t *testing.T) { label.TraefikFrontendContentSecurityPolicy: aws.String("foo"), label.TraefikFrontendPublicKey: aws.String("foo"), label.TraefikFrontendReferrerPolicy: aws.String("foo"), + label.TraefikFrontendCustomBrowserXSSValue: aws.String("foo"), label.TraefikFrontendSTSSeconds: aws.String("666"), label.TraefikFrontendSSLRedirect: aws.String("true"), label.TraefikFrontendSSLTemporaryRedirect: aws.String("true"), @@ -1427,6 +1430,7 @@ func TestGetHeaders(t *testing.T) { ContentSecurityPolicy: "foo", PublicKey: "foo", ReferrerPolicy: "foo", + CustomBrowserXSSValue: "foo", STSSeconds: 666, SSLRedirect: true, SSLTemporaryRedirect: true, diff --git a/provider/kubernetes/annotations.go b/provider/kubernetes/annotations.go index 648b78d7c..ca3d0b899 100644 --- a/provider/kubernetes/annotations.go +++ b/provider/kubernetes/annotations.go @@ -47,6 +47,7 @@ const ( annotationKubernetesCustomFrameOptionsValue = "ingress.kubernetes.io/custom-frame-options-value" annotationKubernetesContentTypeNosniff = "ingress.kubernetes.io/content-type-nosniff" annotationKubernetesBrowserXSSFilter = "ingress.kubernetes.io/browser-xss-filter" + annotationKubernetesCustomBrowserXSSValue = "ingress.kubernetes.io/custom-browser-xss-value" annotationKubernetesContentSecurityPolicy = "ingress.kubernetes.io/content-security-policy" annotationKubernetesPublicKey = "ingress.kubernetes.io/public-key" annotationKubernetesReferrerPolicy = "ingress.kubernetes.io/referrer-policy" diff --git a/provider/kubernetes/kubernetes.go b/provider/kubernetes/kubernetes.go index e4c1a6887..4b4cbd6cc 100644 --- a/provider/kubernetes/kubernetes.go +++ b/provider/kubernetes/kubernetes.go @@ -577,6 +577,7 @@ func getHeader(i *extensionsv1beta1.Ingress) *types.Headers { CustomFrameOptionsValue: getStringValue(i.Annotations, annotationKubernetesCustomFrameOptionsValue, ""), ContentTypeNosniff: getBoolValue(i.Annotations, annotationKubernetesContentTypeNosniff, false), BrowserXSSFilter: getBoolValue(i.Annotations, annotationKubernetesBrowserXSSFilter, false), + CustomBrowserXSSValue: getStringValue(i.Annotations, annotationKubernetesCustomBrowserXSSValue, ""), ContentSecurityPolicy: getStringValue(i.Annotations, annotationKubernetesContentSecurityPolicy, ""), PublicKey: getStringValue(i.Annotations, annotationKubernetesPublicKey, ""), ReferrerPolicy: getStringValue(i.Annotations, annotationKubernetesReferrerPolicy, ""), diff --git a/provider/kubernetes/kubernetes_test.go b/provider/kubernetes/kubernetes_test.go index 8bb63791e..164799804 100644 --- a/provider/kubernetes/kubernetes_test.go +++ b/provider/kubernetes/kubernetes_test.go @@ -793,6 +793,7 @@ rateset: iAnnotation(annotationKubernetesFrameDeny, "true"), iAnnotation(annotationKubernetesContentTypeNosniff, "true"), iAnnotation(annotationKubernetesBrowserXSSFilter, "true"), + iAnnotation(annotationKubernetesCustomBrowserXSSValue, "foo"), iAnnotation(annotationKubernetesIsDevelopment, "true"), iAnnotation(annotationKubernetesSSLHost, "foo"), iAnnotation(annotationKubernetesCustomFrameOptionsValue, "foo"), @@ -1042,6 +1043,7 @@ rateset: ContentSecurityPolicy: "foo", PublicKey: "foo", ReferrerPolicy: "foo", + CustomBrowserXSSValue: "foo", }), routes( route("/customheaders", "PathPrefix:/customheaders"), diff --git a/provider/kv/keynames.go b/provider/kv/keynames.go index 465b97601..558f11843 100644 --- a/provider/kv/keynames.go +++ b/provider/kv/keynames.go @@ -61,6 +61,7 @@ const ( pathFrontendCustomFrameOptionsValue = "/headers/customframeoptionsvalue" pathFrontendContentTypeNosniff = "/headers/contenttypenosniff" pathFrontendBrowserXSSFilter = "/headers/browserxssfilter" + pathFrontendCustomBrowserXSSValue = "/headers/custombrowserxssvalue" pathFrontendContentSecurityPolicy = "/headers/contentsecuritypolicy" pathFrontendPublicKey = "/headers/publickey" pathFrontendReferrerPolicy = "/headers/referrerpolicy" diff --git a/provider/kv/kv_config.go b/provider/kv/kv_config.go index 5a8a6bc36..23ce07c05 100644 --- a/provider/kv/kv_config.go +++ b/provider/kv/kv_config.go @@ -206,6 +206,7 @@ func (p *Provider) getHeaders(rootPath string) *types.Headers { CustomFrameOptionsValue: p.get("", rootPath, pathFrontendCustomFrameOptionsValue), ContentTypeNosniff: p.getBool(false, rootPath, pathFrontendContentTypeNosniff), BrowserXSSFilter: p.getBool(false, rootPath, pathFrontendBrowserXSSFilter), + CustomBrowserXSSValue: p.get("", rootPath, pathFrontendCustomBrowserXSSValue), ContentSecurityPolicy: p.get("", rootPath, pathFrontendContentSecurityPolicy), PublicKey: p.get("", rootPath, pathFrontendPublicKey), ReferrerPolicy: p.get("", rootPath, pathFrontendReferrerPolicy), diff --git a/provider/kv/kv_config_test.go b/provider/kv/kv_config_test.go index a7ebd99a7..7788937b1 100644 --- a/provider/kv/kv_config_test.go +++ b/provider/kv/kv_config_test.go @@ -119,6 +119,7 @@ func TestProviderBuildConfiguration(t *testing.T) { withPair(pathFrontendContentSecurityPolicy, "foo"), withPair(pathFrontendPublicKey, "foo"), withPair(pathFrontendReferrerPolicy, "foo"), + withPair(pathFrontendCustomBrowserXSSValue, "foo"), withPair(pathFrontendSSLRedirect, "true"), withPair(pathFrontendSSLTemporaryRedirect, "true"), withPair(pathFrontendSTSIncludeSubdomains, "true"), @@ -248,6 +249,7 @@ func TestProviderBuildConfiguration(t *testing.T) { ContentSecurityPolicy: "foo", PublicKey: "foo", ReferrerPolicy: "foo", + CustomBrowserXSSValue: "foo", SSLRedirect: true, SSLTemporaryRedirect: true, STSIncludeSubdomains: true, @@ -1415,6 +1417,16 @@ func TestProviderGetHeaders(t *testing.T) { BrowserXSSFilter: true, }, }, + { + desc: "Custom Browser XSS Value", + rootPath: "traefik/frontends/foo", + kvPairs: filler("traefik", + frontend("foo", + withPair(pathFrontendCustomBrowserXSSValue, "foo"))), + expected: &types.Headers{ + CustomBrowserXSSValue: "foo", + }, + }, { desc: "Content Security Policy", rootPath: "traefik/frontends/foo", diff --git a/provider/label/names.go b/provider/label/names.go index e7e8d82de..ac9b3faaf 100644 --- a/provider/label/names.go +++ b/provider/label/names.go @@ -51,6 +51,7 @@ const ( SuffixFrontendHeadersCustomFrameOptionsValue = SuffixFrontendHeaders + "customFrameOptionsValue" SuffixFrontendHeadersContentTypeNosniff = SuffixFrontendHeaders + "contentTypeNosniff" SuffixFrontendHeadersBrowserXSSFilter = SuffixFrontendHeaders + "browserXSSFilter" + SuffixFrontendHeadersCustomBrowserXSSValue = SuffixFrontendHeaders + "customBrowserXSSValue" SuffixFrontendHeadersContentSecurityPolicy = SuffixFrontendHeaders + "contentSecurityPolicy" SuffixFrontendHeadersPublicKey = SuffixFrontendHeaders + "publicKey" SuffixFrontendHeadersReferrerPolicy = SuffixFrontendHeaders + "referrerPolicy" @@ -124,6 +125,7 @@ const ( TraefikFrontendCustomFrameOptionsValue = Prefix + SuffixFrontendHeadersCustomFrameOptionsValue TraefikFrontendContentTypeNosniff = Prefix + SuffixFrontendHeadersContentTypeNosniff TraefikFrontendBrowserXSSFilter = Prefix + SuffixFrontendHeadersBrowserXSSFilter + TraefikFrontendCustomBrowserXSSValue = Prefix + SuffixFrontendHeadersCustomBrowserXSSValue TraefikFrontendContentSecurityPolicy = Prefix + SuffixFrontendHeadersContentSecurityPolicy TraefikFrontendPublicKey = Prefix + SuffixFrontendHeadersPublicKey TraefikFrontendReferrerPolicy = Prefix + SuffixFrontendHeadersReferrerPolicy diff --git a/provider/marathon/config.go b/provider/marathon/config.go index bca5bef56..50938491c 100644 --- a/provider/marathon/config.go +++ b/provider/marathon/config.go @@ -572,6 +572,7 @@ func getHeaders(application marathon.Application, serviceName string) *types.Hea ContentSecurityPolicy: label.GetStringValue(labels, getLabelName(serviceName, label.SuffixFrontendHeadersContentSecurityPolicy), ""), PublicKey: label.GetStringValue(labels, getLabelName(serviceName, label.SuffixFrontendHeadersPublicKey), ""), ReferrerPolicy: label.GetStringValue(labels, getLabelName(serviceName, label.SuffixFrontendHeadersReferrerPolicy), ""), + CustomBrowserXSSValue: label.GetStringValue(labels, getLabelName(serviceName, label.SuffixFrontendHeadersCustomBrowserXSSValue), ""), } if !headers.HasSecureHeadersDefined() && !headers.HasCustomHeadersDefined() { diff --git a/provider/marathon/config_test.go b/provider/marathon/config_test.go index 78d3c182d..fc696f51d 100644 --- a/provider/marathon/config_test.go +++ b/provider/marathon/config_test.go @@ -218,6 +218,7 @@ func TestBuildConfigurationNonAPIErrors(t *testing.T) { withLabel(label.TraefikFrontendContentSecurityPolicy, "foo"), withLabel(label.TraefikFrontendPublicKey, "foo"), withLabel(label.TraefikFrontendReferrerPolicy, "foo"), + withLabel(label.TraefikFrontendCustomBrowserXSSValue, "foo"), withLabel(label.TraefikFrontendSTSSeconds, "666"), withLabel(label.TraefikFrontendSSLRedirect, "true"), withLabel(label.TraefikFrontendSSLTemporaryRedirect, "true"), @@ -304,6 +305,7 @@ func TestBuildConfigurationNonAPIErrors(t *testing.T) { CustomFrameOptionsValue: "foo", ContentTypeNosniff: true, BrowserXSSFilter: true, + CustomBrowserXSSValue: "foo", ContentSecurityPolicy: "foo", PublicKey: "foo", ReferrerPolicy: "foo", @@ -540,6 +542,7 @@ func TestBuildConfigurationServicesNonAPIErrors(t *testing.T) { withServiceLabel(label.TraefikFrontendContentSecurityPolicy, "foo", "containous"), withServiceLabel(label.TraefikFrontendPublicKey, "foo", "containous"), withServiceLabel(label.TraefikFrontendReferrerPolicy, "foo", "containous"), + withServiceLabel(label.TraefikFrontendCustomBrowserXSSValue, "foo", "containous"), withServiceLabel(label.TraefikFrontendSTSSeconds, "666", "containous"), withServiceLabel(label.TraefikFrontendSSLRedirect, "true", "containous"), withServiceLabel(label.TraefikFrontendSSLTemporaryRedirect, "true", "containous"), @@ -625,6 +628,7 @@ func TestBuildConfigurationServicesNonAPIErrors(t *testing.T) { CustomFrameOptionsValue: "foo", ContentTypeNosniff: true, BrowserXSSFilter: true, + CustomBrowserXSSValue: "foo", ContentSecurityPolicy: "foo", PublicKey: "foo", ReferrerPolicy: "foo", @@ -1963,6 +1967,7 @@ func TestGetHeaders(t *testing.T) { withLabel(label.TraefikFrontendContentSecurityPolicy, "foo"), withLabel(label.TraefikFrontendPublicKey, "foo"), withLabel(label.TraefikFrontendReferrerPolicy, "foo"), + withLabel(label.TraefikFrontendCustomBrowserXSSValue, "foo"), withLabel(label.TraefikFrontendSTSSeconds, "666"), withLabel(label.TraefikFrontendSSLRedirect, "true"), withLabel(label.TraefikFrontendSSLTemporaryRedirect, "true"), @@ -1994,6 +1999,7 @@ func TestGetHeaders(t *testing.T) { ContentSecurityPolicy: "foo", PublicKey: "foo", ReferrerPolicy: "foo", + CustomBrowserXSSValue: "foo", STSSeconds: 666, SSLRedirect: true, SSLTemporaryRedirect: true, @@ -2021,6 +2027,7 @@ func TestGetHeaders(t *testing.T) { withLabel(label.Prefix+"containous."+label.SuffixFrontendHeadersContentSecurityPolicy, "foo"), withLabel(label.Prefix+"containous."+label.SuffixFrontendHeadersPublicKey, "foo"), withLabel(label.Prefix+"containous."+label.SuffixFrontendHeadersReferrerPolicy, "foo"), + withLabel(label.Prefix+"containous."+label.SuffixFrontendHeadersCustomBrowserXSSValue, "foo"), withLabel(label.Prefix+"containous."+label.SuffixFrontendHeadersSTSSeconds, "666"), withLabel(label.Prefix+"containous."+label.SuffixFrontendHeadersSSLRedirect, "true"), withLabel(label.Prefix+"containous."+label.SuffixFrontendHeadersSSLTemporaryRedirect, "true"), @@ -2053,6 +2060,7 @@ func TestGetHeaders(t *testing.T) { ContentSecurityPolicy: "foo", PublicKey: "foo", ReferrerPolicy: "foo", + CustomBrowserXSSValue: "foo", STSSeconds: 666, SSLRedirect: true, SSLTemporaryRedirect: true, diff --git a/provider/mesos/config.go b/provider/mesos/config.go index 023a01146..6fd881017 100644 --- a/provider/mesos/config.go +++ b/provider/mesos/config.go @@ -405,6 +405,7 @@ func getHeaders(task state.Task) *types.Headers { ContentSecurityPolicy: label.GetStringValue(labels, label.TraefikFrontendContentSecurityPolicy, ""), PublicKey: label.GetStringValue(labels, label.TraefikFrontendPublicKey, ""), ReferrerPolicy: label.GetStringValue(labels, label.TraefikFrontendReferrerPolicy, ""), + CustomBrowserXSSValue: label.GetStringValue(labels, label.TraefikFrontendCustomBrowserXSSValue, ""), } if !headers.HasSecureHeadersDefined() && !headers.HasCustomHeadersDefined() { diff --git a/provider/mesos/config_test.go b/provider/mesos/config_test.go index f2c1447b2..3bcf3df5f 100644 --- a/provider/mesos/config_test.go +++ b/provider/mesos/config_test.go @@ -160,6 +160,7 @@ func TestBuildConfiguration(t *testing.T) { withLabel(label.TraefikFrontendContentSecurityPolicy, "foo"), withLabel(label.TraefikFrontendPublicKey, "foo"), withLabel(label.TraefikFrontendReferrerPolicy, "foo"), + withLabel(label.TraefikFrontendCustomBrowserXSSValue, "foo"), withLabel(label.TraefikFrontendSTSSeconds, "666"), withLabel(label.TraefikFrontendSSLRedirect, "true"), withLabel(label.TraefikFrontendSSLTemporaryRedirect, "true"), @@ -248,6 +249,7 @@ func TestBuildConfiguration(t *testing.T) { CustomFrameOptionsValue: "foo", ContentTypeNosniff: true, BrowserXSSFilter: true, + CustomBrowserXSSValue: "foo", ContentSecurityPolicy: "foo", PublicKey: "foo", ReferrerPolicy: "foo", @@ -1213,6 +1215,7 @@ func TestGetHeaders(t *testing.T) { withLabel(label.TraefikFrontendContentSecurityPolicy, "foo"), withLabel(label.TraefikFrontendPublicKey, "foo"), withLabel(label.TraefikFrontendReferrerPolicy, "foo"), + withLabel(label.TraefikFrontendCustomBrowserXSSValue, "foo"), withLabel(label.TraefikFrontendSTSSeconds, "666"), withLabel(label.TraefikFrontendSSLRedirect, "true"), withLabel(label.TraefikFrontendSSLTemporaryRedirect, "true"), @@ -1247,6 +1250,7 @@ func TestGetHeaders(t *testing.T) { ContentSecurityPolicy: "foo", PublicKey: "foo", ReferrerPolicy: "foo", + CustomBrowserXSSValue: "foo", STSSeconds: 666, SSLRedirect: true, SSLTemporaryRedirect: true, diff --git a/provider/rancher/config.go b/provider/rancher/config.go index 2c50ad378..e77841505 100644 --- a/provider/rancher/config.go +++ b/provider/rancher/config.go @@ -336,6 +336,7 @@ func getHeaders(service rancherData) *types.Headers { ContentSecurityPolicy: label.GetStringValue(service.Labels, label.TraefikFrontendContentSecurityPolicy, ""), PublicKey: label.GetStringValue(service.Labels, label.TraefikFrontendPublicKey, ""), ReferrerPolicy: label.GetStringValue(service.Labels, label.TraefikFrontendReferrerPolicy, ""), + CustomBrowserXSSValue: label.GetStringValue(service.Labels, label.TraefikFrontendCustomBrowserXSSValue, ""), } if !headers.HasSecureHeadersDefined() && !headers.HasCustomHeadersDefined() { diff --git a/provider/rancher/config_test.go b/provider/rancher/config_test.go index 6444b6baa..48c04413c 100644 --- a/provider/rancher/config_test.go +++ b/provider/rancher/config_test.go @@ -78,6 +78,7 @@ func TestProviderBuildConfiguration(t *testing.T) { label.TraefikFrontendContentSecurityPolicy: "foo", label.TraefikFrontendPublicKey: "foo", label.TraefikFrontendReferrerPolicy: "foo", + label.TraefikFrontendCustomBrowserXSSValue: "foo", label.TraefikFrontendSTSSeconds: "666", label.TraefikFrontendSSLRedirect: "true", label.TraefikFrontendSSLTemporaryRedirect: "true", @@ -164,6 +165,7 @@ func TestProviderBuildConfiguration(t *testing.T) { CustomFrameOptionsValue: "foo", ContentTypeNosniff: true, BrowserXSSFilter: true, + CustomBrowserXSSValue: "foo", ContentSecurityPolicy: "foo", PublicKey: "foo", ReferrerPolicy: "foo", @@ -1209,6 +1211,7 @@ func TestGetHeaders(t *testing.T) { label.TraefikFrontendContentSecurityPolicy: "foo", label.TraefikFrontendPublicKey: "foo", label.TraefikFrontendReferrerPolicy: "foo", + label.TraefikFrontendCustomBrowserXSSValue: "foo", label.TraefikFrontendSTSSeconds: "666", label.TraefikFrontendSSLRedirect: "true", label.TraefikFrontendSSLTemporaryRedirect: "true", @@ -1243,6 +1246,7 @@ func TestGetHeaders(t *testing.T) { ContentSecurityPolicy: "foo", PublicKey: "foo", ReferrerPolicy: "foo", + CustomBrowserXSSValue: "foo", STSSeconds: 666, SSLRedirect: true, SSLTemporaryRedirect: true, diff --git a/templates/consul_catalog.tmpl b/templates/consul_catalog.tmpl index 99431836d..8c6935589 100644 --- a/templates/consul_catalog.tmpl +++ b/templates/consul_catalog.tmpl @@ -127,6 +127,7 @@ CustomFrameOptionsValue = "{{ $headers.CustomFrameOptionsValue }}" ContentTypeNosniff = {{ $headers.ContentTypeNosniff }} BrowserXSSFilter = {{ $headers.BrowserXSSFilter }} + CustomBrowserXSSValue = "{{ $headers.CustomBrowserXSSValue }}" ContentSecurityPolicy = "{{ $headers.ContentSecurityPolicy }}" PublicKey = "{{ $headers.PublicKey }}" ReferrerPolicy = "{{ $headers.ReferrerPolicy }}" diff --git a/templates/docker.tmpl b/templates/docker.tmpl index fce04d433..1c2940717 100644 --- a/templates/docker.tmpl +++ b/templates/docker.tmpl @@ -142,6 +142,7 @@ CustomFrameOptionsValue = "{{ $headers.CustomFrameOptionsValue }}" ContentTypeNosniff = {{ $headers.ContentTypeNosniff }} BrowserXSSFilter = {{ $headers.BrowserXSSFilter }} + CustomBrowserXSSValue = "{{ $headers.CustomBrowserXSSValue }}" ContentSecurityPolicy = "{{ $headers.ContentSecurityPolicy }}" PublicKey = "{{ $headers.PublicKey }}" ReferrerPolicy = "{{ $headers.ReferrerPolicy }}" @@ -258,6 +259,7 @@ CustomFrameOptionsValue = "{{ $headers.CustomFrameOptionsValue }}" ContentTypeNosniff = {{ $headers.ContentTypeNosniff }} BrowserXSSFilter = {{ $headers.BrowserXSSFilter }} + CustomBrowserXSSValue = "{{ $headers.CustomBrowserXSSValue }}" ContentSecurityPolicy = "{{ $headers.ContentSecurityPolicy }}" PublicKey = "{{ $headers.PublicKey }}" ReferrerPolicy = "{{ $headers.ReferrerPolicy }}" diff --git a/templates/ecs.tmpl b/templates/ecs.tmpl index ba951e67b..5520ada71 100644 --- a/templates/ecs.tmpl +++ b/templates/ecs.tmpl @@ -127,6 +127,7 @@ CustomFrameOptionsValue = "{{ $headers.CustomFrameOptionsValue }}" ContentTypeNosniff = {{ $headers.ContentTypeNosniff }} BrowserXSSFilter = {{ $headers.BrowserXSSFilter }} + CustomBrowserXSSValue = "{{ $headers.CustomBrowserXSSValue }}" ContentSecurityPolicy = "{{ $headers.ContentSecurityPolicy }}" PublicKey = "{{ $headers.PublicKey }}" ReferrerPolicy = "{{ $headers.ReferrerPolicy }}" diff --git a/templates/kubernetes.tmpl b/templates/kubernetes.tmpl index e42d49f69..6121539b7 100644 --- a/templates/kubernetes.tmpl +++ b/templates/kubernetes.tmpl @@ -104,6 +104,7 @@ CustomFrameOptionsValue = "{{ $frontend.Headers.CustomFrameOptionsValue }}" ContentTypeNosniff = {{ $frontend.Headers.ContentTypeNosniff }} BrowserXSSFilter = {{ $frontend.Headers.BrowserXSSFilter }} + CustomBrowserXSSValue = "{{ $frontend.Headers.CustomBrowserXSSValue }}" ContentSecurityPolicy = "{{ $frontend.Headers.ContentSecurityPolicy }}" PublicKey = "{{ $frontend.Headers.PublicKey }}" ReferrerPolicy = "{{ $frontend.Headers.ReferrerPolicy }}" diff --git a/templates/kv.tmpl b/templates/kv.tmpl index 62089e140..e620b5384 100644 --- a/templates/kv.tmpl +++ b/templates/kv.tmpl @@ -126,6 +126,7 @@ CustomFrameOptionsValue = "{{ $headers.CustomFrameOptionsValue }}" ContentTypeNosniff = {{ $headers.ContentTypeNosniff }} BrowserXSSFilter = {{ $headers.BrowserXSSFilter }} + CustomBrowserXSSValue = "{{ $headers.CustomBrowserXSSValue }}" ContentSecurityPolicy = "{{ $headers.ContentSecurityPolicy }}" PublicKey = "{{ $headers.PublicKey }}" ReferrerPolicy = "{{ $headers.ReferrerPolicy }}" diff --git a/templates/marathon.tmpl b/templates/marathon.tmpl index 10b52360d..b670ef065 100644 --- a/templates/marathon.tmpl +++ b/templates/marathon.tmpl @@ -133,6 +133,7 @@ CustomFrameOptionsValue = "{{ $headers.CustomFrameOptionsValue }}" ContentTypeNosniff = {{ $headers.ContentTypeNosniff }} BrowserXSSFilter = {{ $headers.BrowserXSSFilter }} + CustomBrowserXSSValue = "{{ $headers.CustomBrowserXSSValue }}" ContentSecurityPolicy = "{{ $headers.ContentSecurityPolicy }}" PublicKey = "{{ $headers.PublicKey }}" ReferrerPolicy = "{{ $headers.ReferrerPolicy }}" diff --git a/templates/mesos.tmpl b/templates/mesos.tmpl index ec9422e38..f4443da59 100644 --- a/templates/mesos.tmpl +++ b/templates/mesos.tmpl @@ -129,6 +129,7 @@ CustomFrameOptionsValue = "{{ $headers.CustomFrameOptionsValue }}" ContentTypeNosniff = {{ $headers.ContentTypeNosniff }} BrowserXSSFilter = {{ $headers.BrowserXSSFilter }} + CustomBrowserXSSValue = "{{ $headers.CustomBrowserXSSValue }}" ContentSecurityPolicy = "{{ $headers.ContentSecurityPolicy }}" PublicKey = "{{ $headers.PublicKey }}" ReferrerPolicy = "{{ $headers.ReferrerPolicy }}" diff --git a/templates/rancher.tmpl b/templates/rancher.tmpl index a732386b7..6eb8d2901 100644 --- a/templates/rancher.tmpl +++ b/templates/rancher.tmpl @@ -127,6 +127,7 @@ CustomFrameOptionsValue = "{{ $headers.CustomFrameOptionsValue }}" ContentTypeNosniff = {{ $headers.ContentTypeNosniff }} BrowserXSSFilter = {{ $headers.BrowserXSSFilter }} + CustomBrowserXSSValue = "{{ $headers.CustomBrowserXSSValue }}" ContentSecurityPolicy = "{{ $headers.ContentSecurityPolicy }}" PublicKey = "{{ $headers.PublicKey }}" ReferrerPolicy = "{{ $headers.ReferrerPolicy }}" diff --git a/types/types.go b/types/types.go index 385ad629d..e1ce3fe28 100644 --- a/types/types.go +++ b/types/types.go @@ -127,6 +127,7 @@ type Headers struct { CustomFrameOptionsValue string `json:"customFrameOptionsValue,omitempty"` ContentTypeNosniff bool `json:"contentTypeNosniff,omitempty"` BrowserXSSFilter bool `json:"browserXssFilter,omitempty"` + CustomBrowserXSSValue string `json:"customBrowserXSSValue,omitempty"` ContentSecurityPolicy string `json:"contentSecurityPolicy,omitempty"` PublicKey string `json:"publicKey,omitempty"` ReferrerPolicy string `json:"referrerPolicy,omitempty"` @@ -155,6 +156,7 @@ func (h *Headers) HasSecureHeadersDefined() bool { h.CustomFrameOptionsValue != "" || h.ContentTypeNosniff || h.BrowserXSSFilter || + h.CustomBrowserXSSValue != "" || h.ContentSecurityPolicy != "" || h.PublicKey != "" || h.ReferrerPolicy != "" ||