Security: Missing Security Headers

Description

It's best practice in web application security to set some headers that increase the security level of the application. Basically, the following headers should be set by default to increase the security of all deployments:

• X-Frame-Options: deny: Prevents clickjacking attacks and other attack techniques against the application. More....
• X-XSS-Protection: 1; mode=block: Increases the difficulty for exploitation of Cross Site Scripting attacks (XSS) in many browsers. More...
• X-Content-Type-Options: nosniff: Indicate that the browser doesn't tries to deduce a content type different from the Content-Type header. More...

Furthermore recommended, but difficult to implement effectively:

• Content-Security-Policy: Whitelist possible resources and restricts JavaScript usage. Correctly implemented, this increases the difficulty for exploitation of Cross-site scripting attacks. More...

Distribution Name and Version

Reproduced in admin.fusiondirectory.org.

FusionDirectory Version

1.2

PHP version used

Reproduced in admin.fusiondirectory.org.

Origin of php packages

Reproduced in admin.fusiondirectory.org.

Steps to Reproduce

1. Open browsers developer tools (Ctrl-Shift-I in Firefox and Chrome)
2. Choose the network tab of developer tools.
3. Open the main page of a default FusionDirectory instance
4. Check the response headers.

Expected behavior:

The security headers mentioned above are set.

Actual behavior:

No security headers are set.

Reproduces how often: 100%

Additional Information

See the OWASP Security Headers project page and Mozilla web security guide for more information on this topic.

created branch 5842-security-missing-security-headers

By Côme Chilliet on 2018-06-05T09:43:29 (imported from GitLab)

mentioned in merge request !281

By Côme Chilliet on 2018-06-05T09:43:30 (imported from GitLab)

mentioned in commit f215a8ce

By Côme Chilliet on 2018-06-05T09:57:17 (imported from GitLab)

assigned to @MCMic

By Côme Chilliet on 2018-06-05T12:12:38 (imported from GitLab)

changed milestone to %FusionDirectory 1.3

By Côme Chilliet on 2018-06-05T12:12:43 (imported from GitLab)

I added X-XSS-Protection: 1; mode=block and X-Content-Type-Options: nosniff in main.php, index.php and setup.php headers.

I do not feel comfortable setting a header which would forbid using FD in a frame as some users may want to. Maybe this one could be added in the default apache config instead?

By Côme Chilliet on 2018-06-05T12:16:24 (imported from GitLab)

added 1h of time spent at 2018-06-05

By Côme Chilliet on 2018-06-05T12:16:25 (imported from GitLab)

added PJ1802-0188 label

By Côme Chilliet on 2018-06-05T12:16:50 (imported from GitLab)

From security perspective a secure default would be preferable. Perhaps introduction of configuration options could solve this? E.g.

• An option that allows to configure the ALLOW-FROM directive to white list a framing domain
• An option that allows to allow framing of the application generally.

By Patzke Thomas on 2018-06-05T12:39:55 (imported from GitLab)

@pthomas But that can be done in the web server configuration, no? Apache seems to have a directive to set additionnal headers, we could use it to add the noframe header in the example apache config we provide, and people would be able to comment/remove it if needed.

Setting it in FD itself seems problematic. If the user cannot access FD he won’t be able to change the configuration easily.

By Côme Chilliet on 2018-06-05T12:49:51 (imported from GitLab)

From security perspective normal users shouldn't be able to change the setting of an X-Frame-Options header. It is specific to a particular deployment and should be set once by an administrator.

It is possible to set this header in the web server configuration. Including it in an example configuration is a step forward, but providing it from the application with a secure default (DENY) setting would be better, as it would be adopted in more deployments. Yes, the remaining (possibly few) framed deployments would first run into an issue, but there it also makes sense to reconsider such decisions, as they come with certain negative security implications in a application with high security impact as FusionDirectory is.

By Patzke Thomas on 2018-06-12T07:00:06 (imported from GitLab)

hello @MCMic,

i agree with @pthomas using fusiondirectory in a frame raise others security issues. i agree the setting should global in fd headers.

No users i know of use fd in a frame

Cheers

By bmortier on 2018-06-15T13:37:53 (imported from GitLab)

added fusiondirectory-core label

By bmortier on 2018-06-15T13:45:40 (imported from GitLab)

created branch 5842-security-missing-security-headers

By Côme Chilliet on 2018-06-26T09:23:22 (imported from GitLab)

mentioned in merge request !303

By Côme Chilliet on 2018-06-26T09:23:23 (imported from GitLab)

mentioned in commit 4a182d01

By Côme Chilliet on 2018-06-26T09:32:58 (imported from GitLab)

added 1h of time spent at 2018-06-26

By Côme Chilliet on 2018-06-26T09:43:25 (imported from GitLab)

added Security fixes labels

By Côme Chilliet on 2018-06-26T09:59:22 (imported from GitLab)

mentioned in merge request !305

By Côme Chilliet on 2018-06-26T10:00:14 (imported from GitLab)

mentioned in merge request !306

By Côme Chilliet on 2018-06-26T10:12:35 (imported from GitLab)