From fe90c4d24faf90ec694ca8534e5ea1e0e37f009f Mon Sep 17 00:00:00 2001 From: Brendan Early Date: May 22 2021 23:36:09 +0000 Subject: Add security headers to nginx revert xml changes in solr script --- diff --git a/bin/update-solr.py b/bin/update-solr.py index 0b26c33..d033e7e 100755 --- a/bin/update-solr.py +++ b/bin/update-solr.py @@ -9,14 +9,15 @@ import os import re import sys import json -import shutil import sqlite3 -import argparse import requests +import defusedxml from datetime import date from collections import defaultdict -from defusedxml.ElementTree import Element, tostring +# This is used to encode xml, not parse it. Security warning is irrelevant. +# defusedxml does not have an Element import and defuse_stdlib() is called anyway for caution's sake. +from xml.etree.ElementTree import Element, tostring # nosec SOLR_URL=os.environ.get('SOLR_URL') SOLR_CORE=os.environ.get('SOLR_CORE') @@ -177,4 +178,5 @@ def main(): print("> {} packages submitted to solr.".format(len(packages))) if __name__ == '__main__': + defusedxml.defuse_stdlib() main() diff --git a/container/nginx.conf b/container/nginx.conf index be2a686..787f40d 100644 --- a/container/nginx.conf +++ b/container/nginx.conf @@ -37,7 +37,13 @@ http { listen [::]:8080; server_name _; root /srv/packages; - port_in_redirect off; + + absolute_redirect off; + add_header X-Frame-Options "DENY"; + add_header X-Xss-Protection "1; mode=block"; + add_header X-Content-Type-Options "nosniff"; + add_header Referrer-Policy "no-referrer"; + add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; connect-src 'self' https://apps.fedoraproject.org; style-src 'self' https://apps.fedoraproject.org; font-src https://apps.fedoraproject.org; img-src 'self' https://apps.fedoraproject.org https://fedoraproject.org"; # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf;