Thanks Mark, then I will just work on the nginx configuration that I have
created for Guacamole. These add_header lines are the ones I am planning on
adding to the existing Guacamole nginx conf file, does this look right to you?
Thanks in advance
# Config to don't allow the browser to render the page inside an frame or
iframeadd_header X-Frame-Options SAMEORIGIN;
# to disable content-type sniffing on some browsersadd_header
X-Content-Type-Options nosniff;
# This header enables the Cross-site scripting (XSS) filter built into most
recent web browsers.add_header X-XSS-Protection "1; mode=block";
# Content Security Policy (CSP) enabledadd_header Content-Security-Policy
"default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src
'self'; style-src 'self'; font-src 'self'; object-src 'none'";
# config to enable HSTS(HTTP Strict Transport Security)add_header
Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
server { listen 80; server_name ..... rewrite ^
https://$server_name$request_uri? permanent;}
server { listen 443; server_name .....;
# common SSL parameters include /etc/nginx/conf.d/...;
....
}
On Wednesday, September 19, 2018, 10:13:24 AM EDT, Mark Nolan
<[email protected]> wrote:
I haven't done this myself, though I have written other filters. If you
have a reverse proxy in front of tomcat anyway, it is conventional to
implement your security headers there rather than in tomcat.
But I'm afraid I can't comment on the best way to do this.
M.
.
On Wed, 19 Sep 2018, 19:23 Tezarin, <[email protected]> wrote:
> Mark,
>
> Thank you for your prompt reply. Right now my other alternative would be
> to modify the nginx entry for Guacamole and add the line below to the
> config file, I was consulting the info found on this page:
> https://gist.github.com/plentz/6737338
>
> # Content Security Policy (CSP) enabledadd_header Content-Security-Policy
> "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval';
> img-src 'self'; style-src 'self'; font-src 'self'; object-src 'none'";
>
> Not sure if that would work, but can you please elaborate on the custom
> filter? Do you have any examples for the CSP so I can use for the Guacamole?
>
> Thanks
>
>
>
>
>
> On Wednesday, September 19, 2018, 9:35:57 AM EDT, Mark Nolan <
> [email protected]> wrote:
>
> Difficult to know what your exact requirements are. For samples of CSP
> headers, you can look here:
> https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
>
> I don't have any specific experience with CSP, but to add custom headers,
> you will need to use a filter.
>
> I thought the http header security filter might do it, but it looks like it
> doesn't. You should still consider it:
> https://tomcat.apache.org/tomcat-8.0-doc/config/filter.html.
>
> Other than that, you will probably need to write a custom filter, which is
> what I have always ended up doing for odd header requirements.
>
> Mark
> .
>
>
> On Wed, 19 Sep 2018, 18:12 Tezarin, <[email protected]> wrote:
>
> > Hi,
> > I need to implement an Content Security Policy (CSP) for the guacamole
> web
> > application. This is done via http headers added to the response from the
> > tomcat server running guacamole. So here are the questions I would ask
> > myself:
> > 1. How do I add HTTP headers to a tomcat server or guacamole
> > configuration? If I cannot do it easily, how do I add them to an nginx
> > config for a proxied application?2. What is the format of the CSP
> header?3.
> > What is a good CSP policy to implement to cover what we need?
> > I was just wondering how if anyone has done this before. Any help would
> be
> > much appreciated. I am using Guacamole inside docker containers.
> > Thanks
> >
>
