Skip to content

Commit

Permalink
Fix duplicate security headers (#8726)
Browse files Browse the repository at this point in the history
Our NGINX configuration adds some headers to all responses, but Django
already outputs these headers via `SecurityMiddleware` and
`XFrameOptionsMiddleware`. So we end up with duplicate headers in the
response, which has undefined semantics (and is just plain confusing).

I don't want to remove these headers from the Django configuration
(because I want them to still be output when run via the development
server) _or_ from the NGINX configuration (because they should still be
added when serving static files). So instead, keep them in both places,
but let NGINX add each header only if the upstream server has not
already added one.

Also, update the referrer policy in Django to match the one we're using
elsewhere.
  • Loading branch information
SpecLad authored Nov 20, 2024
1 parent 3eec9fe commit 67f511b
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 3 deletions.
4 changes: 4 additions & 0 deletions changelog.d/20241120_172837_roman.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
### Fixed

- Fixed security header duplication in HTTP responses from the backend
(<https://github.com/cvat-ai/cvat/pull/8726>)
19 changes: 16 additions & 3 deletions cvat/nginx.conf
Original file line number Diff line number Diff line change
Expand Up @@ -41,14 +41,27 @@ http {
# CVAT Settings
##

# Only add security headers if the upstream server does not already provide them.
map $upstream_http_referrer_policy $hdr_referrer_policy {
'' "strict-origin-when-cross-origin";
}

map $upstream_http_x_content_type_options $hdr_x_content_type_options {
'' "nosniff";
}

map $upstream_http_x_frame_options $hdr_x_frame_options {
'' "deny";
}

server {
listen 8080;
# previously used value
client_max_body_size 1G;

add_header X-Frame-Options deny;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy $hdr_referrer_policy always;
add_header X-Content-Type-Options $hdr_x_content_type_options always;
add_header X-Frame-Options $hdr_x_frame_options always;

server_name _;

Expand Down
2 changes: 2 additions & 0 deletions cvat/settings/base.py
Original file line number Diff line number Diff line change
Expand Up @@ -574,6 +574,8 @@ class CVAT_QUEUES(Enum):
# How django uses X-Forwarded-Proto - https://docs.djangoproject.com/en/2.2/ref/settings/#secure-proxy-ssl-header
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')

SECURE_REFERRER_POLICY = 'strict-origin-when-cross-origin'

# Forwarded host - https://docs.djangoproject.com/en/4.0/ref/settings/#std:setting-USE_X_FORWARDED_HOST
# Is used in TUS uploads to provide correct upload endpoint
USE_X_FORWARDED_HOST = True
Expand Down

0 comments on commit 67f511b

Please sign in to comment.