Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add secure HTTP headers to ingress gateway #16

Open
brettcurtis opened this issue Sep 1, 2024 · 0 comments
Open

Add secure HTTP headers to ingress gateway #16

brettcurtis opened this issue Sep 1, 2024 · 0 comments

Comments

@brettcurtis
Copy link
Contributor

brettcurtis commented Sep 1, 2024
edited
Loading

Warning

EnvoyFilter exposes internal implementation details that may change at any time. Prefer other APIs if possible, and exercise extreme caution, especially around upgrades.

envoyfilter.networking.istio.io/security-by-default-header-filter created

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: security-by-default-header-filter
spec:
  configPatches:
  - applyTo: HTTP_FILTER
    match:
      context: GATEWAY
    patch:
      operation: INSERT_BEFORE
      value:
        name: envoy.lua
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
          inlineCode: |
            function envoy_on_response(response_handle)
              function hasFrameAncestors(rh)
                s = rh:headers():get("Content-Security-Policy");
                delimiter = ";";
                defined = false;
                for match in (s..delimiter):gmatch("(.-)"..delimiter) do
                  match = match:gsub("%s+", "");
                  if match:sub(1, 15)=="frame-ancestors" then
                    return true;
                  end
                end
                return false;
              end
              if not response_handle:headers():get("Content-Security-Policy") then
                csp = "frame-ancestors none;";
                response_handle:headers():add("Content-Security-Policy", csp);
              elseif response_handle:headers():get("Content-Security-Policy") then
                if not hasFrameAncestors(response_handle) then
                  csp = response_handle:headers():get("Content-Security-Policy");
                  csp = csp .. ";frame-ancestors none;";
                  response_handle:headers():replace("Content-Security-Policy", csp);
                end
              end
              if not response_handle:headers():get("X-Frame-Options") then
                response_handle:headers():add("X-Frame-Options", "deny");
              end
              if not response_handle:headers():get("X-XSS-Protection") then
                response_handle:headers():add("X-XSS-Protection", "1; mode=block");
              end
              if not response_handle:headers():get("X-Content-Type-Options") then
                response_handle:headers():add("X-Content-Type-Options", "nosniff");
              end
              if not response_handle:headers():get("Referrer-Policy") then
                response_handle:headers():add("Referrer-Policy", "no-referrer");
              end
              if not response_handle:headers():get("X-Download-Options") then
                response_handle:headers():add("X-Download-Options", "noopen");
              end
              if not response_handle:headers():get("X-DNS-Prefetch-Control") then
                response_handle:headers():add("X-DNS-Prefetch-Control", "off");
              end
              if not response_handle:headers():get("Feature-Policy") then
                response_handle:headers():add("Feature-Policy",
                                              "camera 'none';"..
                                              "microphone 'none';"..
                                              "geolocation 'none';"..
                                              "encrypted-media 'none';"..
                                              "payment 'none';"..
                                              "speaker 'none';"..
                                              "usb 'none';");
              end
              if response_handle:headers():get("X-Powered-By") then
                response_handle:headers():remove("X-Powered-By");
              end
            end

Check: https://securityheaders.com/

Nuclei is still reporting:

http-missing-security-headers:cross-origin-opener-policy
http-missing-security-headers:cross-origin-resource-policy
http-missing-security-headers:strict-transport-security
http-missing-security-headers:permissions-policy
http-missing-security-headers:x-permitted-cross-domain-policies
http-missing-security-headers:clear-site-data
http-missing-security-headers:cross-origin-embedder-policy

OWASP Secure Headers Project:
Recommended: https://owasp.org/www-project-secure-headers/ci/headers_add.json
Remove: https://owasp.org/www-project-secure-headers/ci/headers_remove.json
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
🔨 Open Source Infrastructure (as Code)
Status: Todo ✏
Milestone
No milestone
Development

No branches or pull requests
1 participant
@brettcurtis