cmd/derper: set Content-Security-Policy on DERPs.

It's a basic "deny everything" policy, since DERP's HTTP server is very uninteresting from a browser POV. But it stops every security scanner under the sun from reporting "dangerously configured" HTTP servers. Updates tailscale/corp#3119 Signed-off-by: David Anderson <danderson@tailscale.com>
2024-11-25 19:15:34 +00:00 · 2021-11-24 13:12:13 -08:00 · 2021-11-24 13:12:13 -08:00 · db800ddeac
commit db800ddeac
parent 33c541ae30
1 changed files with 11 additions and 4 deletions
--- a/cmd/derper/derper.go
+++ b/cmd/derper/derper.go
@ -236,11 +236,18 @@ func main() {
 			return cert, nil
 		}
 		httpsrv.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			// Security scanners get cranky when HTTPS sites don't set
-			// HSTS. Set it even though derper doesn't really serve
-			// anything of interest to browsers (and API clients like
-			// tailscale don't obey HSTS).
+			// Set HTTP headers to appease automated security scanners.
+			//
+			// Security automation gets cranky when HTTPS sites don't
+			// set HSTS, and when they don't specify a content
+			// security policy for XSS mitigation.
+			//
+			// DERP's HTTP interface is only ever used for debug
+			// access (for which trivial safe policies work just
+			// fine), and by DERP clients which don't obey any of
+			// these browser-centric headers anyway.
 			w.Header().Set("Strict-Transport-Security", "max-age=63072000; includeSubDomains")
+			w.Header().Set("Content-Security-Policy", "default-src 'none'; frame-ancestors 'none'; form-action 'none'; base-uri 'self'; block-all-mixed-content; plugin-types 'none'")
 			mux.ServeHTTP(w, r)
 		})
 		go func() {