znc
znc copied to clipboard
znc
allow adding custom headers to webadmin
is it possible to add custom headers to the webadmin? if not could this ability be added?
check your webadmin url on https://securityheaders.io/ and you can see security headers which should be added
MISSING Strict-Transport-Security: HTTP Strict Transport Security is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS. Recommended value "strict-transport-security: max-age=31536000; includeSubdomains". Read more.MISSING Content-Security-Policy: Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets. Read more.MISSING Public-Key-Pins: HTTP Public Key Pinning protects your site from MiTM attacks using rogue X.509 certificates. By whitelisting only the identities that the browser should trust, your users are protected in the event a certificate authority is compromised. Read more.MISSING X-Frame-Options: The X-Frame-Options header tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site your can defend against attacks like clickjacking. Recommended value "x-frame-options: SAMEORIGIN". Read more.MISSING X-Xss-Protection: The X-XSS-Protection header sets the configuration for the cross-site scripting filter built into most browsers. Recommended value "X-XSS-Protection: 1; mode=block". Read more.MISSING X-Content-Type-Options: The X-Content-Type-Options headers stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. This helps to reduce the danger of drive-by downloads. Recommended value "X-Content-Type-Options: nosniff". Read more.
- Does HSTS work with ports other than 443?
- Does Content-Security-Policy work without knowing what is the webadmin address or would that require another option?
- And when users whitelist MITM which sends this header while having invalid certificate?
- X-Frame-Options can be a good idea.
- Might not hurt.
- ~~Is there something that some browser would download from webadmin?~~ doesn't seem harmful.
- HSTS does work with non standard ports, at least it should https://tools.ietf.org/html/rfc6797
- CSP for webadmin would only need to add entries for 'self' which doesnt require adding the full host
- HPKP works for me on self-signed certs. if you're arguing HPKP MITM on first try well that would apply to all websites on the internet, and HPKP is still seen as a good security measure
i think znc would benefit from adopting a few of these headers by default but i know these headers may not be for everyone so my issue wasnt for forcing these into znc. (sorry if it seemed like that). i was wondering about adding the ability for users to add any custom headers they want, since the webadmin is basically a webserver facing the internet and one might want to add more security measures or customize it in other ways
Is it worth adding this ability to ZNC when all of these can be supported by putting webadmin behind a lightweight frontend like nginx?
On 10/29/2015 01:45 PM, dgw wrote:
Is it worth adding this ability to ZNC when all of these can be supported by putting webadmin behind a lightweight frontend like nginx?
This isn't always an option for individuals running ZNC on shells - they usually won't have the capacity to set up nginx to handle those options. Fine for users who have VPSes and root and such, but not for everyone, especially people running via userspace - they'd have to compile nginx or such into userspace in order to make that work.
I'm running znc on my own server, but the box is not big enough for apache2 and nginx at the same time, also I don't know my way around nginx... anyway, qualisguard is moaning&groaning: https://gyazo.com/a89a294c1ccdcf08e54a9ea4d8e72dce
I'd really like an option (or mod or plugin) to add headers, and also to disable autocomplete on the login forms.
