Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(templates): add CSP headers for Admin GUI #14287

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

fix(templates): add CSP headers for Admin GUI #14287

wants to merge 1 commit into from
+169 −1

Conversation

sumimakito
Copy link
Member

@sumimakito sumimakito commented Feb 17, 2025
edited
Loading

Summary

This pull request adds Content-Security-Policy and Referrer-Policy headers while serving Admin GUI requests.

Since the Content-Security-Policy has caused some issues with the Kong Manager before, we introduce a new configuration parameter admin_gui_csp_header which defaults to "off" to control the availability of this header. Users can opt in manually.

As for the Referrer-Policy header, we will serve 'strict-origin-when-cross-origin' which seems to be the default value today:

Note: This is the default policy if no policy is specified, or if the provided value is invalid (see spec revision November 2020). Previously the default was no-referrer-when-downgrade.

MDN reference

Checklist

Issue reference

FTI-4283

@github-actions github-actions bot added core/templates cherry-pick kong-ee schedule this PR for cherry-picking to kong/kong-ee labels Feb 17, 2025
@sumimakito sumimakito force-pushed the FTI-4283-security-headers branch from b9ac457 to 7f0b16b Compare February 17, 2025 09:07
@sumimakito sumimakito force-pushed the FTI-4283-security-headers branch from 7f0b16b to c3e287f Compare February 17, 2025 09:40
@pull-request-size pull-request-size bot added size/M and removed size/S labels Feb 17, 2025
@sumimakito sumimakito force-pushed the FTI-4283-security-headers branch 3 times, most recently from ff764f8 to 68ef6aa Compare February 19, 2025 09:29
@pull-request-size pull-request-size bot added size/L and removed size/M labels Feb 19, 2025
@sumimakito sumimakito mentioned this pull request Feb 20, 2025
Draft
@sumimakito sumimakito force-pushed the FTI-4283-security-headers branch 3 times, most recently from 50e067f to de82815 Compare February 26, 2025 09:06
@sumimakito sumimakito force-pushed the FTI-4283-security-headers branch from de82815 to a1c51b6 Compare February 26, 2025 09:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@sumimakito sumimakito

Labels
cherry-pick kong-ee schedule this PR for cherry-picking to kong/kong-ee core/cli core/configuration core/templates size/L
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@sumimakito