aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorChocobozzz <me@florianbigard.com>2021-04-12 15:33:54 +0200
committerChocobozzz <me@florianbigard.com>2021-04-12 15:33:54 +0200
commit8155db669baff9aac5617a7aaf68dd35823ed7c9 (patch)
tree9a7575cd5d6bc9f4905d02c4a9aedd603ec2ec83
parentc24822a8fdbc0647aa983fe7d784864ec3b9b854 (diff)
downloadPeerTube-8155db669baff9aac5617a7aaf68dd35823ed7c9.tar.gz
PeerTube-8155db669baff9aac5617a7aaf68dd35823ed7c9.tar.zst
PeerTube-8155db669baff9aac5617a7aaf68dd35823ed7c9.zip
Dissociate frameguard from csp
-rw-r--r--config/default.yaml5
-rw-r--r--config/production.yaml.example5
-rw-r--r--server.ts10
-rw-r--r--server/initializers/checker-before-init.ts1
-rw-r--r--server/initializers/config.ts5
-rw-r--r--server/tests/api/server/config.ts34
6 files changed, 55 insertions, 5 deletions
diff --git a/config/default.yaml b/config/default.yaml
index f9b6c50a3..281cc0577 100644
--- a/config/default.yaml
+++ b/config/default.yaml
@@ -153,6 +153,11 @@ csp:
153 report_only: true # CSP directives are still being tested, so disable the report only mode at your own risk! 153 report_only: true # CSP directives are still being tested, so disable the report only mode at your own risk!
154 report_uri: 154 report_uri:
155 155
156security:
157 # Set the X-Frame-Options header to help to mitigate clickjacking attacks
158 frameguard:
159 enabled: true
160
156tracker: 161tracker:
157 # If you disable the tracker, you disable the P2P aspect of PeerTube 162 # If you disable the tracker, you disable the P2P aspect of PeerTube
158 enabled: true 163 enabled: true
diff --git a/config/production.yaml.example b/config/production.yaml.example
index f2e75af32..fed6b45ca 100644
--- a/config/production.yaml.example
+++ b/config/production.yaml.example
@@ -151,6 +151,11 @@ csp:
151 report_only: true # CSP directives are still being tested, so disable the report only mode at your own risk! 151 report_only: true # CSP directives are still being tested, so disable the report only mode at your own risk!
152 report_uri: 152 report_uri:
153 153
154security:
155 # Set the X-Frame-Options header to help to mitigate clickjacking attacks
156 frameguard:
157 enabled: true
158
154tracker: 159tracker:
155 # If you disable the tracker, you disable the P2P aspect of PeerTube 160 # If you disable the tracker, you disable the P2P aspect of PeerTube
156 enabled: true 161 enabled: true
diff --git a/server.ts b/server.ts
index f44202c9a..2531080a3 100644
--- a/server.ts
+++ b/server.ts
@@ -59,11 +59,11 @@ import { baseCSP } from './server/middlewares/csp'
59 59
60if (CONFIG.CSP.ENABLED) { 60if (CONFIG.CSP.ENABLED) {
61 app.use(baseCSP) 61 app.use(baseCSP)
62 app.use(helmet({ 62}
63 frameguard: { 63
64 action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts 64if (CONFIG.SECURITY.FRAMEGUARD.ENABLED) {
65 }, 65 app.use(helmet.frameguard({
66 hsts: false 66 action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts
67 })) 67 }))
68} 68}
69 69
diff --git a/server/initializers/checker-before-init.ts b/server/initializers/checker-before-init.ts
index e92cc4d2c..2864b0287 100644
--- a/server/initializers/checker-before-init.ts
+++ b/server/initializers/checker-before-init.ts
@@ -17,6 +17,7 @@ function checkMissedConfig () {
17 'log.level', 17 'log.level',
18 'user.video_quota', 'user.video_quota_daily', 18 'user.video_quota', 'user.video_quota_daily',
19 'csp.enabled', 'csp.report_only', 'csp.report_uri', 19 'csp.enabled', 'csp.report_only', 'csp.report_uri',
20 'security.frameguard.enabled',
20 'cache.previews.size', 'cache.captions.size', 'cache.torrents.size', 'admin.email', 'contact_form.enabled', 21 'cache.previews.size', 'cache.captions.size', 'cache.torrents.size', 'admin.email', 'contact_form.enabled',
21 'signup.enabled', 'signup.limit', 'signup.requires_email_verification', 22 'signup.enabled', 'signup.limit', 'signup.requires_email_verification',
22 'signup.filters.cidr.whitelist', 'signup.filters.cidr.blacklist', 23 'signup.filters.cidr.whitelist', 'signup.filters.cidr.blacklist',
diff --git a/server/initializers/config.ts b/server/initializers/config.ts
index 4e15acd0d..5281d3a66 100644
--- a/server/initializers/config.ts
+++ b/server/initializers/config.ts
@@ -134,6 +134,11 @@ const CONFIG = {
134 REPORT_ONLY: config.get<boolean>('csp.report_only'), 134 REPORT_ONLY: config.get<boolean>('csp.report_only'),
135 REPORT_URI: config.get<string>('csp.report_uri') 135 REPORT_URI: config.get<string>('csp.report_uri')
136 }, 136 },
137 SECURITY: {
138 FRAMEGUARD: {
139 ENABLED: config.get<boolean>('security.frameguard.enabled')
140 }
141 },
137 TRACKER: { 142 TRACKER: {
138 ENABLED: config.get<boolean>('tracker.enabled'), 143 ENABLED: config.get<boolean>('tracker.enabled'),
139 PRIVATE: config.get<boolean>('tracker.private'), 144 PRIVATE: config.get<boolean>('tracker.private'),
diff --git a/server/tests/api/server/config.ts b/server/tests/api/server/config.ts
index 0b0f48d22..1d9ea31df 100644
--- a/server/tests/api/server/config.ts
+++ b/server/tests/api/server/config.ts
@@ -12,6 +12,7 @@ import {
12 getConfig, 12 getConfig,
13 getCustomConfig, 13 getCustomConfig,
14 killallServers, 14 killallServers,
15 makeGetRequest,
15 parallelTests, 16 parallelTests,
16 registerUser, 17 registerUser,
17 reRunServer, 18 reRunServer,
@@ -508,6 +509,39 @@ describe('Test config', function () {
508 checkInitialConfig(server, data) 509 checkInitialConfig(server, data)
509 }) 510 })
510 511
512 it('Should enable frameguard', async function () {
513 this.timeout(25000)
514
515 {
516 const res = await makeGetRequest({
517 url: server.url,
518 path: '/api/v1/config',
519 statusCodeExpected: 200
520 })
521
522 expect(res.headers['x-frame-options']).to.exist
523 }
524
525 killallServers([ server ])
526
527 const config = {
528 security: {
529 frameguard: { enabled: false }
530 }
531 }
532 server = await reRunServer(server, config)
533
534 {
535 const res = await makeGetRequest({
536 url: server.url,
537 path: '/api/v1/config',
538 statusCodeExpected: 200
539 })
540
541 expect(res.headers['x-frame-options']).to.not.exist
542 }
543 })
544
511 after(async function () { 545 after(async function () {
512 await cleanupTests([ server ]) 546 await cleanupTests([ server ])
513 }) 547 })