diff --git a/.golangci.yml b/.golangci.yml
index 8ed29e0343..af560657a5 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -49,6 +49,7 @@ linters-settings:
replace-allow-list:
- github.com/studio-b12/gowebdav
- github.com/egirna/icap-client
+ - github.com/unrolled/secure
interfacebloat:
max: 15
diff --git a/changelog/unreleased/csp.md b/changelog/unreleased/csp.md
new file mode 100644
index 0000000000..a25f8fe503
--- /dev/null
+++ b/changelog/unreleased/csp.md
@@ -0,0 +1,5 @@
+Enhancement: Add CSP and other security related headers to oCIS
+
+General hardening of oCIS
+
+https://github.com/owncloud/ocis/pull/8777
diff --git a/deployments/examples/ocis_wopi/config/ocis/csp.yaml b/deployments/examples/ocis_wopi/config/ocis/csp.yaml
new file mode 100644
index 0000000000..518f906f14
--- /dev/null
+++ b/deployments/examples/ocis_wopi/config/ocis/csp.yaml
@@ -0,0 +1,35 @@
+directives:
+ child-src:
+ - '''self'''
+ connect-src:
+ - '''self'''
+ default-src:
+ - '''none'''
+ font-src:
+ - '''self'''
+ frame-ancestors:
+ - '''none'''
+ frame-src:
+ - '''self'''
+ - 'https://embed.diagrams.net/'
+ - 'https://${ONLYOFFICE_DOMAIN:-onlyoffice.owncloud.test}/'
+ - 'https://${COLLABORA_DOMAIN:-collabora.owncloud.test}/'
+ img-src:
+ - '''self'''
+ - 'data:'
+ - 'blob:'
+ - 'https://${ONLYOFFICE_DOMAIN:-onlyoffice.owncloud.test}/'
+ - 'https://${COLLABORA_DOMAIN:-collabora.owncloud.test}/'
+ manifest-src:
+ - '''self'''
+ media-src:
+ - '''self'''
+ object-src:
+ - '''self'''
+ - 'blob:'
+ script-src:
+ - '''self'''
+ - '''unsafe-inline'''
+ style-src:
+ - '''self'''
+ - '''unsafe-inline'''
diff --git a/deployments/examples/ocis_wopi/docker-compose.yml b/deployments/examples/ocis_wopi/docker-compose.yml
index 00a41ee1f8..f9ce508b48 100644
--- a/deployments/examples/ocis_wopi/docker-compose.yml
+++ b/deployments/examples/ocis_wopi/docker-compose.yml
@@ -88,8 +88,10 @@ services:
MICRO_REGISTRY_ADDRESS: 127.0.0.1:9233
NATS_NATS_HOST: 0.0.0.0
NATS_NATS_PORT: 9233
+ PROXY_CSP_CONFIG_FILE_LOCATION: /etc/ocis/csp.yaml
volumes:
- ./config/ocis/app-registry.yaml:/etc/ocis/app-registry.yaml
+ - ./config/ocis/csp.yaml:/etc/ocis/csp.yaml
- ./config/ocis/${COMPANION_WEB_CONFIG_FILE_NAME:-web.yaml}:/etc/ocis/web.yaml
- ocis-config:/etc/ocis
- ocis-data:/var/lib/ocis
diff --git a/go.mod b/go.mod
index a8bbb6b5c4..b7b5372cae 100644
--- a/go.mod
+++ b/go.mod
@@ -9,6 +9,7 @@ require (
github.com/Masterminds/semver v1.5.0
github.com/MicahParks/keyfunc v1.9.0
github.com/Nerzal/gocloak/v13 v13.9.0
+ github.com/a8m/envsubst v1.4.2
github.com/bbalet/stopwords v1.0.0
github.com/blevesearch/bleve/v2 v2.4.0
github.com/cenkalti/backoff v2.2.1+incompatible
@@ -86,6 +87,7 @@ require (
github.com/thejerf/suture/v4 v4.0.5
github.com/tidwall/gjson v1.17.1
github.com/tus/tusd v1.13.0
+ github.com/unrolled/secure v1.14.0
github.com/urfave/cli/v2 v2.27.1
github.com/xhit/go-simple-mail/v2 v2.16.0
go-micro.dev/v4 v4.10.2
@@ -355,6 +357,8 @@ replace github.com/studio-b12/gowebdav => github.com/aduffeck/gowebdav v0.0.0-20
replace github.com/egirna/icap-client => github.com/fschade/icap-client v0.0.0-20240123094924-5af178158eaf
+replace github.com/unrolled/secure => github.com/DeepDiver1975/secure v0.0.0-20240424132259-5b29166734cb
+
// exclude the v2 line of go-sqlite3 which was released accidentally and prevents pulling in newer versions of go-sqlite3
// see https://github.com/mattn/go-sqlite3/issues/965 for more details
exclude github.com/mattn/go-sqlite3 v2.0.3+incompatible
diff --git a/go.sum b/go.sum
index 3701d0d1f9..355d58d8ee 100644
--- a/go.sum
+++ b/go.sum
@@ -798,6 +798,8 @@ github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym
github.com/CiscoM31/godata v1.0.10 h1:DZdJ6M8QNh4HquvDDOqNLu6h77Wl86KGK7Qlbmb90sk=
github.com/CiscoM31/godata v1.0.10/go.mod h1:ZMiT6JuD3Rm83HEtiTx4JEChsd25YCrxchKGag/sdTc=
github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=
+github.com/DeepDiver1975/secure v0.0.0-20240424132259-5b29166734cb h1:Ugrv7ivJ035zunmhmGEBSXL76tyxRNH5XaBSQUTqf38=
+github.com/DeepDiver1975/secure v0.0.0-20240424132259-5b29166734cb/go.mod h1:BmF5hyM6tXczk3MpQkFf1hpKSRqCyhqcbiQtiAF7+40=
github.com/JohnCGriffin/overflow v0.0.0-20211019200055-46fa312c352c/go.mod h1:X0CRv0ky0k6m906ixxpzmDRLvX58TFUKS2eePweuyxk=
github.com/KimMachineGun/automemlimit v0.6.0 h1:p/BXkH+K40Hax+PuWWPQ478hPjsp9h1CPDhLlA3Z37E=
github.com/KimMachineGun/automemlimit v0.6.0/go.mod h1:T7xYht7B8r6AG/AqFcUdc7fzd2bIdBKmepfP2S1svPY=
@@ -824,6 +826,8 @@ github.com/RoaringBitmap/roaring v1.2.3 h1:yqreLINqIrX22ErkKI0vY47/ivtJr6n+kMhVO
github.com/RoaringBitmap/roaring v1.2.3/go.mod h1:plvDsJQpxOC5bw8LRteu/MLWHsHez/3y6cubLI4/1yE=
github.com/Shopify/sarama v1.19.0/go.mod h1:FVkBWblsNy7DGZRfXLU0O9RCGt5g3g3yEuWXgklEdEo=
github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI=
+github.com/a8m/envsubst v1.4.2 h1:4yWIHXOLEJHQEFd4UjrWDrYeYlV7ncFWJOCBRLOZHQg=
+github.com/a8m/envsubst v1.4.2/go.mod h1:MVUTQNGQ3tsjOOtKCNd+fl8RzhsXcDvvAEzkhGtlsbY=
github.com/aduffeck/gowebdav v0.0.0-20231215102054-212d4a4374f6 h1:ws0yvsikTQdmheKINP16tBzAHdttrHwbz/q3Fgl9X1Y=
github.com/aduffeck/gowebdav v0.0.0-20231215102054-212d4a4374f6/go.mod h1:bHA7t77X/QFExdeAnDzK6vKM34kEZAcE1OX4MfiwjkE=
github.com/agnivade/levenshtein v1.1.1 h1:QY8M92nrzkmr798gCo3kmMyqXFzdQVpxLlGPRBij0P8=
diff --git a/ocis-pkg/middleware/header.go b/ocis-pkg/middleware/header.go
index 9db2908148..2e82d65931 100644
--- a/ocis-pkg/middleware/header.go
+++ b/ocis-pkg/middleware/header.go
@@ -38,22 +38,3 @@ func Cors(opts ...cors.Option) func(http.Handler) http.Handler {
AllowCredentials: options.AllowCredentials,
})
}
-
-// Secure writes required access headers to all requests.
-func Secure(next http.Handler) http.Handler {
- return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
- // Indicates whether the browser is allowed to render this page in a ,