feat: add CSP and other security related headers in the oCIS proxy se…

…rvice

changelog/unreleased/csp.md

@@ -0,0 +1,5 @@
+Enhancement: Add CSP and other security related headers to oCIS
+
+General hardening of oCIS
+
+https://github.com/owncloud/ocis/pull/8777

go.mod

@@ -86,6 +86,7 @@ require (
 	github.com/thejerf/suture/v4 v4.0.5
 	github.com/tidwall/gjson v1.17.1
 	github.com/tus/tusd v1.13.0
+	github.com/unrolled/secure v1.14.0
 	github.com/urfave/cli/v2 v2.27.1
 	github.com/xhit/go-simple-mail/v2 v2.16.0
 	go-micro.dev/v4 v4.10.2

go.sum

@@ -2028,6 +2028,8 @@ github.com/tus/tusd v1.13.0 h1:W7rtb1XPSpde/GPZAgdfUS3vus2Jt2KmckS6OUd3CU8=
 github.com/tus/tusd v1.13.0/go.mod h1:1tX4CDGlx8koHGFJdSaJ5ybUIm2NeVloJgZEPSKRcQA=
 github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM=
 github.com/uber-go/atomic v1.3.2/go.mod h1:/Ct5t2lcmbJ4OSe/waGBoaVvVqtO0bmtfVNex1PFV8g=
+github.com/unrolled/secure v1.14.0 h1:u9vJTU/pR4Bny0ntLUMxdfLtmIRGvQf2sEFuA0TG9AE=
+github.com/unrolled/secure v1.14.0/go.mod h1:BmF5hyM6tXczk3MpQkFf1hpKSRqCyhqcbiQtiAF7+40=
 github.com/urfave/cli v1.22.4/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
 github.com/urfave/cli/v2 v2.3.0/go.mod h1:LJmUH05zAU44vOAcrfzZQKsZbVcdbOG8rtL3/XcUArI=
 github.com/urfave/cli/v2 v2.27.1 h1:8xSQ6szndafKVRmfyeUMxkNUJQMjL1F2zmsZ+qHpfho=

services/proxy/pkg/command/server.go

@@ -313,6 +313,7 @@ func loadMiddlewares(ctx context.Context, logger log.Logger, cfg *config.Config,
 		chimiddleware.RequestID,
 		middleware.AccessLog(logger),
 		middleware.HTTPSRedirect,
+		middleware.Security(),
 		router.Middleware(cfg.PolicySelector, cfg.Policies, logger),
 		middleware.Authentication(
 			authenticators,

services/proxy/pkg/middleware/security.go

@@ -0,0 +1,40 @@
+package middleware
+
+import (
+	"github.com/unrolled/secure"
+	"github.com/unrolled/secure/cspbuilder"
+	"net/http"
+)
+
+// Security is a middleware to apply security relevant http headers like CSP.
+func Security() func(h http.Handler) http.Handler {
+	// some way to configure them is necessary for external integrations
+	// e.g. draw.io, OnlyOffice, Collabora ....
+	cspBuilder := cspbuilder.Builder{
+		Directives: map[string][]string{
+			cspbuilder.ConnectSrc:  {"'self'"},
+			cspbuilder.ChildSrc:    {"'self'", "https://embed.diagrams.net/"},
+			cspbuilder.DefaultSrc:  {"'none'"},
+			cspbuilder.FontSrc:     {"'self'"},
+			cspbuilder.FrameSrc:    {"'self'", "blob:"},
+			cspbuilder.ImgSrc:      {"'self'", "data:", "blob:"},
+			cspbuilder.ManifestSrc: {"'self'"},
+			cspbuilder.MediaSrc:    {"'self'"},
+			cspbuilder.ObjectSrc:   {"'self'", "blob:"},
+			cspbuilder.ScriptSrc:   {"'self'", "'unsafe-inline'"},
+			cspbuilder.StyleSrc:    {"'self'", "'unsafe-inline'"},
+		},
+	}
+	secureMiddleware := secure.New(secure.Options{
+		BrowserXssFilter:        true,
+		ContentSecurityPolicy:   cspBuilder.MustBuild(),
+		ContentTypeNosniff:      true,
+		CustomFrameOptionsValue: "SAMEORIGIN",
+		ReferrerPolicy:          "strict-origin-when-cross-origin",
+		STSSeconds:              315360000,
+		STSPreload:              true,
+	})
+	return func(next http.Handler) http.Handler {
+		return secureMiddleware.Handler(next)
+	}
+}