From ac65a37b0b7a798f4876fc18158ae14a9c8e2829 Mon Sep 17 00:00:00 2001 From: RAHUL KHIYANI Date: Tue, 6 Aug 2019 01:41:59 -0500 Subject: [PATCH] =?UTF-8?q?Nagios=20=E2=80=93=20API=20Handling=20=E2=80=93?= =?UTF-8?q?=20HTTP=20Security=20Headers=20Not=20Present?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Added new X-Content-Type-Options: nosniff header to make sure the browser does not try to detect a different Content-Type than what is actually sent (can lead to XSS) Added new X-Frame-Options: sameorigin header to protect against drag and drop clickjacking attacks in older browsers Added new Content-Security-Policy: script-src self for implementation Added new HTTP Security header X-XSS-Protection:1 mode=block to sanitize the page, when a XSS attack is detected, the browser will prevent rendering of the page Change-Id: Ic79bbb96484a7f1a497c001883783338fd26a47a --- nagios/values.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/nagios/values.yaml b/nagios/values.yaml index 6865dbd04..1ef4ebd00 100644 --- a/nagios/values.yaml +++ b/nagios/values.yaml @@ -191,6 +191,11 @@ network: nginx.ingress.kubernetes.io/session-cookie-hash: sha1 nginx.ingress.kubernetes.io/session-cookie-expires: "600" nginx.ingress.kubernetes.io/session-cookie-max-age: "600" + nginx.ingress.kubernetes.io/configuration-snippet: | + more_set_headers "X-Content-Type-Options: 'nosniff'"; + more_set_headers "X-Frame-Options: SAMEORIGIN"; + more_set_headers "Content-Security-Policy: script-src 'self'"; + more_set_headers "X-XSS-Protection: 1; mode=block"; node_port: enabled: false port: 30925