freeipa-webui icon indicating copy to clipboard operation
freeipa-webui copied to clipboard

Published 20 hours ago verified publisher icon freeipa

[RFE] Harden Apache security

Open carma12 opened this issue 1 year ago • 2 comments

As stated here, there are some security issues with Apache in IPA.

Highlights:

  • IPA sets Content-Security-Policy in ipa.conf:
    • Header always append Content-Security-Policy "frame-ancestors 'none'"
    • none means no resources are allowed to load so it's no wonder that the page is blank.
  • It just doesn't set the default-src or script-src values.
  • IPA always sets X-Frame:
    • Header always append X-Frame-Options DENY

We would need to evaluate the UI to support the additional CSP values (e.g. how scripts are loaded, inline scripts, etc).

carma12 avatar Jun 29 '23 07:06 carma12

This issue has not received any attention in 120 days.

github-actions[bot] avatar Dec 11 '23 12:12 github-actions[bot]

Removed stale label as this will be eventually addressed.

carma12 avatar Dec 11 '23 13:12 carma12