From 0855ea2f7109997d726f393a2337f6735733708f Mon Sep 17 00:00:00 2001 From: James Elliott Date: Wed, 4 May 2022 14:47:23 +1000 Subject: [PATCH] fix(server): missing cache and xss headers (#3289) Addresses documentation and a couple of headers which were missed. --- docs/security/measures.md | 129 ++++++++++++----------- internal/middlewares/authelia_context.go | 10 +- internal/middlewares/const.go | 17 ++- internal/middlewares/headers.go | 21 ++++ internal/middlewares/strip_path.go | 20 ++-- internal/middlewares/types.go | 3 + internal/server/handlers.go | 96 +++++++++-------- 7 files changed, 172 insertions(+), 124 deletions(-) diff --git a/docs/security/measures.md b/docs/security/measures.md index 12bd1c56..d1410e6c 100644 --- a/docs/security/measures.md +++ b/docs/security/measures.md @@ -89,10 +89,15 @@ that users who have access to the database do not also have access to this key. The encrypted data in the database is as follows: -| Table | Column | Rational | -|:-------------------:|:----------:|:------------------------------------------------------------------------------------------------------:| -| totp_configurations | secret | Prevents a [Leaked Database](#leaked-database) or [Bad Actors](#bad-actors) from compromising security | -| webauthn_devices | public_key | Prevents [Bad Actors](#bad-actors) from compromising security | +| Table | Column | Rational | +|:---------------------------------:|:------------:|:------------------------------------------------------------------------------------------------------:| +| totp_configurations | secret | Prevents a [Leaked Database](#leaked-database) or [Bad Actors](#bad-actors) from compromising security | +| webauthn_devices | public_key | Prevents [Bad Actors](#bad-actors) from compromising security | +| oauth2_authorization_code_session | session_data | Prevents [Bad Actors](#bad-actors) from compromising security | +| oauth2_access_token_session | session_data | Prevents [Bad Actors](#bad-actors) from compromising security | +| oauth2_refresh_token_session | session_data | Prevents [Bad Actors](#bad-actors) from compromising security | +| oauth2_pkce_request_session | session_data | Prevents [Bad Actors](#bad-actors) from compromising security | +| oauth2_openid_connect_session | session_data | Prevents [Bad Actors](#bad-actors) from compromising security | ### Leaked Database @@ -224,77 +229,70 @@ feature, and set the [expiration](../configuration/session/index.md#expiration) manner would mean if the cookie age was more than 2 hours or if the user was inactive for more than 10 minutes the session would be destroyed. -### Additional proxy protection measures +### Response Headers -You can also apply the following headers to your proxy configuration for improving security. Please read the -relevant documentation for these headers before applying them blindly. +This document previously detailed additional per-proxy configuration options that could be utilized in a proxy to +improve security. These headers are now documented here and implemented by default in all responses due to the fact +the experience should be the same regardless of which proxy you're utilizing and the area is rapidly evolving. -#### nginx +Users who need custom behaviours in this area can submit a request or remove/replace the headers as necessary. -``` -# We don't want any credentials / TOTP secret key / QR code to be cached by -# the client -add_header Cache-Control "no-store"; -add_header Pragma "no-cache"; +#### X-Content-Type-Options -# Clickjacking / XSS protection +**Value:** `nosniff` +**Endpoints:** All -# We don't want Authelia's login page to be rendered within a , -#