Skip to content

Commit

Permalink
Add simple clickjacking prevention
Browse files Browse the repository at this point in the history
Support X-Frame-Options with a default of SAMEORIGIN.
  • Loading branch information
hmpf committed Feb 21, 2024
1 parent 6b010e1 commit 96619cb
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 4 deletions.
8 changes: 6 additions & 2 deletions python/nav/django/settings.py
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,7 @@

# Middleware
MIDDLEWARE = (
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'django.middleware.common.CommonMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'nav.web.auth.middleware.AuthenticationMiddleware',
Expand Down Expand Up @@ -261,13 +262,16 @@
# * https://docs.djangoproject.com/en/3.2/ref/clickjacking/
# Example conf:
# [security]
# ssl = on
# tls = on
# frames_allow = self

SECURE_BROWSER_XSS_FILTER = True # Does no harm

_websecurity_config = WebSecurityConfigParser()
_tls_enabled = bool(_websecurity_config.getboolean('security', 'tls'))
_tls_enabled = bool(_websecurity_config.getboolean('tls'))
SESSION_COOKIE_SECURE = _tls_enabled
X_FRAME_OPTIONS = _websecurity_config.get_x_frame_options()


# Hack for hackers to use features like debug_toolbar etc.
# https://code.djangoproject.com/wiki/SplitSettings (Rob Golding's method)
Expand Down
20 changes: 18 additions & 2 deletions python/nav/web/security.py
Original file line number Diff line number Diff line change
@@ -1,11 +1,27 @@
from pathlib import Path

from nav.config import NAVConfigParser
from nav.config import NavConfigParserDefaultSection


class WebSecurityConfigParser(NAVConfigParser):
class WebSecurityConfigParser(NavConfigParserDefaultSection):
SECTION = "security"
DEFAULT_CONFIG_FILES = [str(Path('webfront') / 'webfront.conf')]
DEFAULT_CONFIG = u"""
[security]
tls=off
allow_frames=self
"""
FRAMES_OPTION = 'allow_frames'
FRAMES_DEFAULT = 'self'

def __init__(self):
super().__init__(self.SECTION)

# clickjacking-settings

def get_x_frame_options(self):
"Translate CSP frame ancestors to the old X-Frame-Options header"
frames_flag = self.get(self.FRAMES_OPTION) or self.FRAMES_DEFAULT
if frames_flag == 'none':
return 'DENY'
return 'SAMEORIGIN'

0 comments on commit 96619cb

Please sign in to comment.