Headers middleware: support Content-Security-Policy-Report-Only
This commit is contained in:
parent
67f0700377
commit
b37aaea36d
17 changed files with 116 additions and 66 deletions
|
@ -394,6 +394,10 @@ This overrides the `BrowserXssFilter` option.
|
||||||
|
|
||||||
The `contentSecurityPolicy` option allows the `Content-Security-Policy` header value to be set with a custom value.
|
The `contentSecurityPolicy` option allows the `Content-Security-Policy` header value to be set with a custom value.
|
||||||
|
|
||||||
|
### `contentSecurityPolicyReportOnly`
|
||||||
|
|
||||||
|
The `contentSecurityPolicyReportOnly` option allows the `Content-Security-Policy-Report-Only` header value to be set with a custom value.
|
||||||
|
|
||||||
### `publicKey`
|
### `publicKey`
|
||||||
|
|
||||||
The `publicKey` implements HPKP to prevent MITM attacks with forged certificates.
|
The `publicKey` implements HPKP to prevent MITM attacks with forged certificates.
|
||||||
|
|
|
@ -55,6 +55,7 @@
|
||||||
- "traefik.http.middlewares.middleware12.headers.allowedhosts=foobar, foobar"
|
- "traefik.http.middlewares.middleware12.headers.allowedhosts=foobar, foobar"
|
||||||
- "traefik.http.middlewares.middleware12.headers.browserxssfilter=true"
|
- "traefik.http.middlewares.middleware12.headers.browserxssfilter=true"
|
||||||
- "traefik.http.middlewares.middleware12.headers.contentsecuritypolicy=foobar"
|
- "traefik.http.middlewares.middleware12.headers.contentsecuritypolicy=foobar"
|
||||||
|
- "traefik.http.middlewares.middleware12.headers.contentsecuritypolicyreportonly=foobar"
|
||||||
- "traefik.http.middlewares.middleware12.headers.contenttypenosniff=true"
|
- "traefik.http.middlewares.middleware12.headers.contenttypenosniff=true"
|
||||||
- "traefik.http.middlewares.middleware12.headers.custombrowserxssvalue=foobar"
|
- "traefik.http.middlewares.middleware12.headers.custombrowserxssvalue=foobar"
|
||||||
- "traefik.http.middlewares.middleware12.headers.customframeoptionsvalue=foobar"
|
- "traefik.http.middlewares.middleware12.headers.customframeoptionsvalue=foobar"
|
||||||
|
|
|
@ -198,6 +198,7 @@
|
||||||
browserXssFilter = true
|
browserXssFilter = true
|
||||||
customBrowserXSSValue = "foobar"
|
customBrowserXSSValue = "foobar"
|
||||||
contentSecurityPolicy = "foobar"
|
contentSecurityPolicy = "foobar"
|
||||||
|
contentSecurityPolicyReportOnly = "foobar"
|
||||||
publicKey = "foobar"
|
publicKey = "foobar"
|
||||||
referrerPolicy = "foobar"
|
referrerPolicy = "foobar"
|
||||||
permissionsPolicy = "foobar"
|
permissionsPolicy = "foobar"
|
||||||
|
|
|
@ -242,6 +242,7 @@ http:
|
||||||
browserXssFilter: true
|
browserXssFilter: true
|
||||||
customBrowserXSSValue: foobar
|
customBrowserXSSValue: foobar
|
||||||
contentSecurityPolicy: foobar
|
contentSecurityPolicy: foobar
|
||||||
|
contentSecurityPolicyReportOnly: foobar
|
||||||
publicKey: foobar
|
publicKey: foobar
|
||||||
referrerPolicy: foobar
|
referrerPolicy: foobar
|
||||||
permissionsPolicy: foobar
|
permissionsPolicy: foobar
|
||||||
|
|
|
@ -1309,6 +1309,10 @@ spec:
|
||||||
description: ContentSecurityPolicy defines the Content-Security-Policy
|
description: ContentSecurityPolicy defines the Content-Security-Policy
|
||||||
header value.
|
header value.
|
||||||
type: string
|
type: string
|
||||||
|
contentSecurityPolicyReportOnly:
|
||||||
|
description: ContentSecurityPolicyReportOnly defines the Content-Security-Policy-Report-Only
|
||||||
|
header value.
|
||||||
|
type: string
|
||||||
contentTypeNosniff:
|
contentTypeNosniff:
|
||||||
description: ContentTypeNosniff defines whether to add the X-Content-Type-Options
|
description: ContentTypeNosniff defines whether to add the X-Content-Type-Options
|
||||||
header with the nosniff value.
|
header with the nosniff value.
|
||||||
|
|
|
@ -71,6 +71,7 @@ THIS FILE MUST NOT BE EDITED BY HAND
|
||||||
| `traefik/http/middlewares/Middleware12/headers/allowedHosts/1` | `foobar` |
|
| `traefik/http/middlewares/Middleware12/headers/allowedHosts/1` | `foobar` |
|
||||||
| `traefik/http/middlewares/Middleware12/headers/browserXssFilter` | `true` |
|
| `traefik/http/middlewares/Middleware12/headers/browserXssFilter` | `true` |
|
||||||
| `traefik/http/middlewares/Middleware12/headers/contentSecurityPolicy` | `foobar` |
|
| `traefik/http/middlewares/Middleware12/headers/contentSecurityPolicy` | `foobar` |
|
||||||
|
| `traefik/http/middlewares/Middleware12/headers/contentSecurityPolicyReportOnly` | `foobar` |
|
||||||
| `traefik/http/middlewares/Middleware12/headers/contentTypeNosniff` | `true` |
|
| `traefik/http/middlewares/Middleware12/headers/contentTypeNosniff` | `true` |
|
||||||
| `traefik/http/middlewares/Middleware12/headers/customBrowserXSSValue` | `foobar` |
|
| `traefik/http/middlewares/Middleware12/headers/customBrowserXSSValue` | `foobar` |
|
||||||
| `traefik/http/middlewares/Middleware12/headers/customFrameOptionsValue` | `foobar` |
|
| `traefik/http/middlewares/Middleware12/headers/customFrameOptionsValue` | `foobar` |
|
||||||
|
|
|
@ -585,6 +585,10 @@ spec:
|
||||||
description: ContentSecurityPolicy defines the Content-Security-Policy
|
description: ContentSecurityPolicy defines the Content-Security-Policy
|
||||||
header value.
|
header value.
|
||||||
type: string
|
type: string
|
||||||
|
contentSecurityPolicyReportOnly:
|
||||||
|
description: ContentSecurityPolicyReportOnly defines the Content-Security-Policy-Report-Only
|
||||||
|
header value.
|
||||||
|
type: string
|
||||||
contentTypeNosniff:
|
contentTypeNosniff:
|
||||||
description: ContentTypeNosniff defines whether to add the X-Content-Type-Options
|
description: ContentTypeNosniff defines whether to add the X-Content-Type-Options
|
||||||
header with the nosniff value.
|
header with the nosniff value.
|
||||||
|
|
|
@ -1309,6 +1309,10 @@ spec:
|
||||||
description: ContentSecurityPolicy defines the Content-Security-Policy
|
description: ContentSecurityPolicy defines the Content-Security-Policy
|
||||||
header value.
|
header value.
|
||||||
type: string
|
type: string
|
||||||
|
contentSecurityPolicyReportOnly:
|
||||||
|
description: ContentSecurityPolicyReportOnly defines the Content-Security-Policy-Report-Only
|
||||||
|
header value.
|
||||||
|
type: string
|
||||||
contentTypeNosniff:
|
contentTypeNosniff:
|
||||||
description: ContentTypeNosniff defines whether to add the X-Content-Type-Options
|
description: ContentTypeNosniff defines whether to add the X-Content-Type-Options
|
||||||
header with the nosniff value.
|
header with the nosniff value.
|
||||||
|
|
|
@ -330,6 +330,7 @@
|
||||||
browserXssFilter = true
|
browserXssFilter = true
|
||||||
customBrowserXSSValue = "foobar"
|
customBrowserXSSValue = "foobar"
|
||||||
contentSecurityPolicy = "foobar"
|
contentSecurityPolicy = "foobar"
|
||||||
|
contentSecurityPolicyReportOnly = "foobar"
|
||||||
publicKey = "foobar"
|
publicKey = "foobar"
|
||||||
referrerPolicy = "foobar"
|
referrerPolicy = "foobar"
|
||||||
isDevelopment = true
|
isDevelopment = true
|
||||||
|
|
|
@ -313,6 +313,8 @@ type Headers struct {
|
||||||
CustomBrowserXSSValue string `json:"customBrowserXSSValue,omitempty" toml:"customBrowserXSSValue,omitempty" yaml:"customBrowserXSSValue,omitempty"`
|
CustomBrowserXSSValue string `json:"customBrowserXSSValue,omitempty" toml:"customBrowserXSSValue,omitempty" yaml:"customBrowserXSSValue,omitempty"`
|
||||||
// ContentSecurityPolicy defines the Content-Security-Policy header value.
|
// ContentSecurityPolicy defines the Content-Security-Policy header value.
|
||||||
ContentSecurityPolicy string `json:"contentSecurityPolicy,omitempty" toml:"contentSecurityPolicy,omitempty" yaml:"contentSecurityPolicy,omitempty"`
|
ContentSecurityPolicy string `json:"contentSecurityPolicy,omitempty" toml:"contentSecurityPolicy,omitempty" yaml:"contentSecurityPolicy,omitempty"`
|
||||||
|
// ContentSecurityPolicyReportOnly defines the Content-Security-Policy-Report-Only header value.
|
||||||
|
ContentSecurityPolicyReportOnly string `json:"contentSecurityPolicyReportOnly,omitempty" toml:"contentSecurityPolicyReportOnly,omitempty" yaml:"contentSecurityPolicyReportOnly,omitempty"`
|
||||||
// PublicKey is the public key that implements HPKP to prevent MITM attacks with forged certificates.
|
// PublicKey is the public key that implements HPKP to prevent MITM attacks with forged certificates.
|
||||||
PublicKey string `json:"publicKey,omitempty" toml:"publicKey,omitempty" yaml:"publicKey,omitempty"`
|
PublicKey string `json:"publicKey,omitempty" toml:"publicKey,omitempty" yaml:"publicKey,omitempty"`
|
||||||
// ReferrerPolicy defines the Referrer-Policy header value.
|
// ReferrerPolicy defines the Referrer-Policy header value.
|
||||||
|
@ -376,6 +378,7 @@ func (h *Headers) HasSecureHeadersDefined() bool {
|
||||||
h.BrowserXSSFilter ||
|
h.BrowserXSSFilter ||
|
||||||
h.CustomBrowserXSSValue != "" ||
|
h.CustomBrowserXSSValue != "" ||
|
||||||
h.ContentSecurityPolicy != "" ||
|
h.ContentSecurityPolicy != "" ||
|
||||||
|
h.ContentSecurityPolicyReportOnly != "" ||
|
||||||
h.PublicKey != "" ||
|
h.PublicKey != "" ||
|
||||||
h.ReferrerPolicy != "" ||
|
h.ReferrerPolicy != "" ||
|
||||||
(h.FeaturePolicy != nil && *h.FeaturePolicy != "") ||
|
(h.FeaturePolicy != nil && *h.FeaturePolicy != "") ||
|
||||||
|
|
|
@ -63,6 +63,7 @@ func TestDecodeConfiguration(t *testing.T) {
|
||||||
"traefik.http.middlewares.Middleware8.headers.addvaryheader": "true",
|
"traefik.http.middlewares.Middleware8.headers.addvaryheader": "true",
|
||||||
"traefik.http.middlewares.Middleware8.headers.browserxssfilter": "true",
|
"traefik.http.middlewares.Middleware8.headers.browserxssfilter": "true",
|
||||||
"traefik.http.middlewares.Middleware8.headers.contentsecuritypolicy": "foobar",
|
"traefik.http.middlewares.Middleware8.headers.contentsecuritypolicy": "foobar",
|
||||||
|
"traefik.http.middlewares.Middleware8.headers.contentsecuritypolicyreportonly": "foobar",
|
||||||
"traefik.http.middlewares.Middleware8.headers.contenttypenosniff": "true",
|
"traefik.http.middlewares.Middleware8.headers.contenttypenosniff": "true",
|
||||||
"traefik.http.middlewares.Middleware8.headers.custombrowserxssvalue": "foobar",
|
"traefik.http.middlewares.Middleware8.headers.custombrowserxssvalue": "foobar",
|
||||||
"traefik.http.middlewares.Middleware8.headers.customframeoptionsvalue": "foobar",
|
"traefik.http.middlewares.Middleware8.headers.customframeoptionsvalue": "foobar",
|
||||||
|
@ -622,6 +623,7 @@ func TestDecodeConfiguration(t *testing.T) {
|
||||||
BrowserXSSFilter: true,
|
BrowserXSSFilter: true,
|
||||||
CustomBrowserXSSValue: "foobar",
|
CustomBrowserXSSValue: "foobar",
|
||||||
ContentSecurityPolicy: "foobar",
|
ContentSecurityPolicy: "foobar",
|
||||||
|
ContentSecurityPolicyReportOnly: "foobar",
|
||||||
PublicKey: "foobar",
|
PublicKey: "foobar",
|
||||||
ReferrerPolicy: "foobar",
|
ReferrerPolicy: "foobar",
|
||||||
FeaturePolicy: String("foobar"),
|
FeaturePolicy: String("foobar"),
|
||||||
|
@ -1145,6 +1147,7 @@ func TestEncodeConfiguration(t *testing.T) {
|
||||||
BrowserXSSFilter: true,
|
BrowserXSSFilter: true,
|
||||||
CustomBrowserXSSValue: "foobar",
|
CustomBrowserXSSValue: "foobar",
|
||||||
ContentSecurityPolicy: "foobar",
|
ContentSecurityPolicy: "foobar",
|
||||||
|
ContentSecurityPolicyReportOnly: "foobar",
|
||||||
PublicKey: "foobar",
|
PublicKey: "foobar",
|
||||||
ReferrerPolicy: "foobar",
|
ReferrerPolicy: "foobar",
|
||||||
FeaturePolicy: String("foobar"),
|
FeaturePolicy: String("foobar"),
|
||||||
|
@ -1299,6 +1302,7 @@ func TestEncodeConfiguration(t *testing.T) {
|
||||||
"traefik.HTTP.Middlewares.Middleware8.Headers.AllowedHosts": "foobar, fiibar",
|
"traefik.HTTP.Middlewares.Middleware8.Headers.AllowedHosts": "foobar, fiibar",
|
||||||
"traefik.HTTP.Middlewares.Middleware8.Headers.BrowserXSSFilter": "true",
|
"traefik.HTTP.Middlewares.Middleware8.Headers.BrowserXSSFilter": "true",
|
||||||
"traefik.HTTP.Middlewares.Middleware8.Headers.ContentSecurityPolicy": "foobar",
|
"traefik.HTTP.Middlewares.Middleware8.Headers.ContentSecurityPolicy": "foobar",
|
||||||
|
"traefik.HTTP.Middlewares.Middleware8.Headers.ContentSecurityPolicyReportOnly": "foobar",
|
||||||
"traefik.HTTP.Middlewares.Middleware8.Headers.ContentTypeNosniff": "true",
|
"traefik.HTTP.Middlewares.Middleware8.Headers.ContentTypeNosniff": "true",
|
||||||
"traefik.HTTP.Middlewares.Middleware8.Headers.CustomBrowserXSSValue": "foobar",
|
"traefik.HTTP.Middlewares.Middleware8.Headers.CustomBrowserXSSValue": "foobar",
|
||||||
"traefik.HTTP.Middlewares.Middleware8.Headers.CustomFrameOptionsValue": "foobar",
|
"traefik.HTTP.Middlewares.Middleware8.Headers.CustomFrameOptionsValue": "foobar",
|
||||||
|
|
|
@ -25,6 +25,7 @@ func newSecure(next http.Handler, cfg dynamic.Headers, contextKey string) *secur
|
||||||
STSIncludeSubdomains: cfg.STSIncludeSubdomains,
|
STSIncludeSubdomains: cfg.STSIncludeSubdomains,
|
||||||
STSPreload: cfg.STSPreload,
|
STSPreload: cfg.STSPreload,
|
||||||
ContentSecurityPolicy: cfg.ContentSecurityPolicy,
|
ContentSecurityPolicy: cfg.ContentSecurityPolicy,
|
||||||
|
ContentSecurityPolicyReportOnly: cfg.ContentSecurityPolicyReportOnly,
|
||||||
CustomBrowserXssValue: cfg.CustomBrowserXSSValue,
|
CustomBrowserXssValue: cfg.CustomBrowserXSSValue,
|
||||||
CustomFrameOptionsValue: cfg.CustomFrameOptionsValue,
|
CustomFrameOptionsValue: cfg.CustomFrameOptionsValue,
|
||||||
PublicKey: cfg.PublicKey,
|
PublicKey: cfg.PublicKey,
|
||||||
|
|
|
@ -139,6 +139,7 @@ func Test_buildConfiguration(t *testing.T) {
|
||||||
"traefik/http/middlewares/Middleware09/headers/accessControlExposeHeaders/0": "foobar",
|
"traefik/http/middlewares/Middleware09/headers/accessControlExposeHeaders/0": "foobar",
|
||||||
"traefik/http/middlewares/Middleware09/headers/accessControlExposeHeaders/1": "foobar",
|
"traefik/http/middlewares/Middleware09/headers/accessControlExposeHeaders/1": "foobar",
|
||||||
"traefik/http/middlewares/Middleware09/headers/contentSecurityPolicy": "foobar",
|
"traefik/http/middlewares/Middleware09/headers/contentSecurityPolicy": "foobar",
|
||||||
|
"traefik/http/middlewares/Middleware09/headers/contentSecurityPolicyReportOnly": "foobar",
|
||||||
"traefik/http/middlewares/Middleware09/headers/publicKey": "foobar",
|
"traefik/http/middlewares/Middleware09/headers/publicKey": "foobar",
|
||||||
"traefik/http/middlewares/Middleware09/headers/customRequestHeaders/name0": "foobar",
|
"traefik/http/middlewares/Middleware09/headers/customRequestHeaders/name0": "foobar",
|
||||||
"traefik/http/middlewares/Middleware09/headers/customRequestHeaders/name1": "foobar",
|
"traefik/http/middlewares/Middleware09/headers/customRequestHeaders/name1": "foobar",
|
||||||
|
@ -612,6 +613,7 @@ func Test_buildConfiguration(t *testing.T) {
|
||||||
BrowserXSSFilter: true,
|
BrowserXSSFilter: true,
|
||||||
CustomBrowserXSSValue: "foobar",
|
CustomBrowserXSSValue: "foobar",
|
||||||
ContentSecurityPolicy: "foobar",
|
ContentSecurityPolicy: "foobar",
|
||||||
|
ContentSecurityPolicyReportOnly: "foobar",
|
||||||
PublicKey: "foobar",
|
PublicKey: "foobar",
|
||||||
ReferrerPolicy: "foobar",
|
ReferrerPolicy: "foobar",
|
||||||
FeaturePolicy: String("foobar"),
|
FeaturePolicy: String("foobar"),
|
||||||
|
|
|
@ -214,6 +214,7 @@ func init() {
|
||||||
BrowserXSSFilter: true,
|
BrowserXSSFilter: true,
|
||||||
CustomBrowserXSSValue: "foo",
|
CustomBrowserXSSValue: "foo",
|
||||||
ContentSecurityPolicy: "foo",
|
ContentSecurityPolicy: "foo",
|
||||||
|
ContentSecurityPolicyReportOnly: "foo",
|
||||||
PublicKey: "foo",
|
PublicKey: "foo",
|
||||||
ReferrerPolicy: "foo",
|
ReferrerPolicy: "foo",
|
||||||
PermissionsPolicy: "foo",
|
PermissionsPolicy: "foo",
|
||||||
|
|
|
@ -170,6 +170,7 @@
|
||||||
"browserXssFilter": true,
|
"browserXssFilter": true,
|
||||||
"customBrowserXSSValue": "xxxx",
|
"customBrowserXSSValue": "xxxx",
|
||||||
"contentSecurityPolicy": "xxxx",
|
"contentSecurityPolicy": "xxxx",
|
||||||
|
"contentSecurityPolicyReportOnly": "xxxx",
|
||||||
"publicKey": "xxxx",
|
"publicKey": "xxxx",
|
||||||
"referrerPolicy": "foo",
|
"referrerPolicy": "foo",
|
||||||
"permissionsPolicy": "foo",
|
"permissionsPolicy": "foo",
|
||||||
|
|
|
@ -173,6 +173,7 @@
|
||||||
"browserXssFilter": true,
|
"browserXssFilter": true,
|
||||||
"customBrowserXSSValue": "foo",
|
"customBrowserXSSValue": "foo",
|
||||||
"contentSecurityPolicy": "foo",
|
"contentSecurityPolicy": "foo",
|
||||||
|
"contentSecurityPolicyReportOnly": "foo",
|
||||||
"publicKey": "foo",
|
"publicKey": "foo",
|
||||||
"referrerPolicy": "foo",
|
"referrerPolicy": "foo",
|
||||||
"permissionsPolicy": "foo",
|
"permissionsPolicy": "foo",
|
||||||
|
|
|
@ -817,6 +817,22 @@
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
</q-card-section>
|
</q-card-section>
|
||||||
|
<!-- EXTRA FIELDS FROM MIDDLEWARES - [headers] - contentSecurityPolicyReportOnly -->
|
||||||
|
<q-card-section v-if="middleware.headers">
|
||||||
|
<div class="row items-start no-wrap">
|
||||||
|
<div class="col">
|
||||||
|
<div class="text-subtitle2">
|
||||||
|
Content Security Policy (Report Only)
|
||||||
|
</div>
|
||||||
|
<q-chip
|
||||||
|
dense
|
||||||
|
class="app-chip app-chip-green"
|
||||||
|
>
|
||||||
|
{{ exData(middleware).contentSecurityPolicyReportOnly }}
|
||||||
|
</q-chip>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</q-card-section>
|
||||||
<!-- EXTRA FIELDS FROM MIDDLEWARES - [headers] - publicKey -->
|
<!-- EXTRA FIELDS FROM MIDDLEWARES - [headers] - publicKey -->
|
||||||
<q-card-section v-if="middleware.headers">
|
<q-card-section v-if="middleware.headers">
|
||||||
<div class="row items-start no-wrap">
|
<div class="row items-start no-wrap">
|
||||||
|
|
Loading…
Reference in a new issue