diff --git a/core/files/entrypoint_nginx.sh b/core/files/entrypoint_nginx.sh index d815e50..76502b2 100755 --- a/core/files/entrypoint_nginx.sh +++ b/core/files/entrypoint_nginx.sh @@ -226,6 +226,47 @@ init_nginx() { fi fi + # Adjust Content-Security-Policy + echo "... adjusting Content-Security-Policy" + # Remove any existing CSP header + sed -i '/add_header Content-Security-Policy/d' /etc/nginx/includes/misp + + if [[ -n "$CONTENT_SECURITY_POLICY" ]]; then + # If $CONTENT_SECURITY_POLICY is set, add CSP header + echo "... setting Content-Security-Policy to '$CONTENT_SECURITY_POLICY'" + sed -i "/add_header X-Download-Options/a add_header Content-Security-Policy \"$CONTENT_SECURITY_POLICY\";" /etc/nginx/includes/misp + else + # Otherwise, do not add any CSP headers + echo "... no Content-Security-Policy header will be set as CONTENT_SECURITY_POLICY is not defined" + fi + + # Adjust X-Frame-Options + echo "... adjusting X-Frame-Options" + # Remove any existing X-Frame-Options header + sed -i '/add_header X-Frame-Options/d' /etc/nginx/includes/misp + + if [[ -z "$X_FRAME_OPTIONS" ]]; then + echo "... setting 'X-Frame-Options SAMEORIGIN'" + sed -i "/add_header X-Download-Options/a add_header X-Frame-Options \"SAMEORIGIN\" always;" /etc/nginx/includes/misp + else + echo "... setting 'X-Frame-Options $X_FRAME_OPTIONS'" + sed -i "/add_header X-Download-Options/a add_header X-Frame-Options \"$X_FRAME_OPTIONS\";" /etc/nginx/includes/misp + fi + + # Adjust HTTP Strict Transport Security (HSTS) + echo "... adjusting HTTP Strict Transport Security (HSTS)" + # Remove any existing HSTS header + sed -i '/add_header Strict-Transport-Security/d' /etc/nginx/includes/misp + + if [[ -n "$HSTS_MAX_AGE" ]]; then + # If $HSTS_MAX_AGE is defined, add the HSTS header + echo "... setting HSTS to 'max-age=$HSTS_MAX_AGE; includeSubdomains'" + sed -i "/add_header X-Download-Options/a add_header Strict-Transport-Security \"max-age=$HSTS_MAX_AGE; includeSubdomains\";" /etc/nginx/includes/misp + else + # Otherwise, do nothing, keeping without the HSTS header + echo "... no HSTS header will be set as HSTS_MAX_AGE is not defined" + fi + # Testing for files also test for links, and generalize better to mounted files if [[ ! -f "/etc/nginx/sites-enabled/misp80" ]]; then echo "... enabling port 80 redirect" diff --git a/docker-compose.yml b/docker-compose.yml index 175ad39..f9e5844 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -192,6 +192,10 @@ services: - "PHP_UPLOAD_MAX_FILESIZE=${PHP_UPLOAD_MAX_FILESIZE:-50M}" - "PHP_POST_MAX_SIZE=${PHP_POST_MAX_SIZE:-50M}" - "PHP_MAX_INPUT_TIME:${PHP_MAX_INPUT_TIME:-300}" + # Security Settings + - "HSTS_MAX_AGE=${HSTS_MAX_AGE}" + - "X_FRAME_OPTIONS=${X_FRAME_OPTIONS}" + - "CONTENT_SECURITY_POLICY=${CONTENT_SECURITY_POLICY}" misp-modules: image: ghcr.io/misp/misp-docker/misp-modules:${MODULES_RUNNING_TAG:-latest} diff --git a/template.env b/template.env index b1188de..d81a7b4 100644 --- a/template.env +++ b/template.env @@ -198,3 +198,15 @@ SYNCSERVERS_1_PULL_RULES= # NGINX_X_FORWARDED_FOR=true # Comma separated list of trusted IP addresses # NGINX_SET_REAL_IP_FROM=127.0.0.1 + +# Security Settings +# Maximum time (in seconds) for HSTS (HTTP Strict Transport Security), ensures HTTPS is used. +HSTS_MAX_AGE= + +# X-Frame-Options policy configuration: controls whether the site can be embedded in frames or iframes. +# Options: DENY, SAMEORIGIN, ALLOW-FROM Default: SAMEORIGIN +X_FRAME_OPTIONS="" + +# Content-Security-Policy (CSP) configuration: defines allowed resources and prevents attacks like XSS. +# Example: "frame-src 'self' https://*.example.com; frame-ancestors 'self' https://*.example.com; object-src 'none'; report-uri https://example.com/cspReport" +CONTENT_SECURITY_POLICY=""