From db800ddeac7007c528e4b7ee4fabf1eb85349e10 Mon Sep 17 00:00:00 2001 From: David Anderson Date: Wed, 24 Nov 2021 13:12:13 -0800 Subject: [PATCH] cmd/derper: set Content-Security-Policy on DERPs. It's a basic "deny everything" policy, since DERP's HTTP server is very uninteresting from a browser POV. But it stops every security scanner under the sun from reporting "dangerously configured" HTTP servers. Updates tailscale/corp#3119 Signed-off-by: David Anderson --- cmd/derper/derper.go | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/cmd/derper/derper.go b/cmd/derper/derper.go index 8298c9ed7..e29bc4fda 100644 --- a/cmd/derper/derper.go +++ b/cmd/derper/derper.go @@ -236,11 +236,18 @@ func main() { return cert, nil } httpsrv.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - // Security scanners get cranky when HTTPS sites don't set - // HSTS. Set it even though derper doesn't really serve - // anything of interest to browsers (and API clients like - // tailscale don't obey HSTS). + // Set HTTP headers to appease automated security scanners. + // + // Security automation gets cranky when HTTPS sites don't + // set HSTS, and when they don't specify a content + // security policy for XSS mitigation. + // + // DERP's HTTP interface is only ever used for debug + // access (for which trivial safe policies work just + // fine), and by DERP clients which don't obey any of + // these browser-centric headers anyway. w.Header().Set("Strict-Transport-Security", "max-age=63072000; includeSubDomains") + w.Header().Set("Content-Security-Policy", "default-src 'none'; frame-ancestors 'none'; form-action 'none'; base-uri 'self'; block-all-mixed-content; plugin-types 'none'") mux.ServeHTTP(w, r) }) go func() {