From 740f799b9c7cdc4e1d80782c2ff8190bae6c3a69 Mon Sep 17 00:00:00 2001 From: Evilham Date: Fri, 2 Dec 2022 11:13:33 +0100 Subject: [PATCH] [WP] Add CSP and Content-Type-Options headers We do this more reliably on HAProxy, as doing it from WP requires specialised plugins and in DD we are sure that traffic goes through the corresponding HAProxy backend. --- dd-sso/docker/haproxy/haproxy.cnf.parts/backends.cnf | 6 +++--- dd-sso/docker/haproxy/haproxy.cnf.parts/bind-direct.cnf | 3 +++ 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/dd-sso/docker/haproxy/haproxy.cnf.parts/backends.cnf b/dd-sso/docker/haproxy/haproxy.cnf.parts/backends.cnf index 715c4a4..d341b8f 100644 --- a/dd-sso/docker/haproxy/haproxy.cnf.parts/backends.cnf +++ b/dd-sso/docker/haproxy/haproxy.cnf.parts/backends.cnf @@ -48,9 +48,9 @@ backend be_oof backend be_wp mode http - - http-request set-header X-SSL %[ssl_fc] - http-request set-header X-Forwarded-Proto https + # Add security headers here, as WP is a tad of a pain to setup + http-response set-header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self' data: *; style-src 'self' 'unsafe-inline' data: fonts.googleapis.com maxcdn.bootstrapcdn.com; font-src 'self' data: fonts.gstatic.com maxcdn.bootstrapcdn.com" + http-response set-header X-Content-Type-Options "nosniff" server wp dd-apps-wordpress:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none # # END: backends.cnf diff --git a/dd-sso/docker/haproxy/haproxy.cnf.parts/bind-direct.cnf b/dd-sso/docker/haproxy/haproxy.cnf.parts/bind-direct.cnf index 7784f4f..b80d370 100644 --- a/dd-sso/docker/haproxy/haproxy.cnf.parts/bind-direct.cnf +++ b/dd-sso/docker/haproxy/haproxy.cnf.parts/bind-direct.cnf @@ -12,6 +12,9 @@ http-request del-header X-Forwarded-Proto # But add our forwarding headers instead option forwardfor + # We are always doing TLS, except for redirections + http-request set-header X-SSL %[ssl_fc] + http-request set-header X-Forwarded-Proto https # New line to test URI to see if its a letsencrypt request acl letsencrypt-acl path_beg /.well-known/acme-challenge/