From c69fdb4bd639d417135380fbde0576a36541f295 Mon Sep 17 00:00:00 2001 From: Hauke Hund Date: Tue, 31 Oct 2023 14:56:54 +0100 Subject: [PATCH 1/2] reworked Content-Security-Policy header, special case for Binary To support using Binary resources for HTML reports with inline css and java-script, adding a special case for Binary resources with content-type 'text/html'. Disabling inline css and java-script does not improve security since users that can create malicious Binary resource with HTML can also create malicious Binary resources with css or java-script. --- .../filter/BrowserPolicyHeaderResponseFilter.java | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/dsf-fhir/dsf-fhir-server/src/main/java/dev/dsf/fhir/webservice/filter/BrowserPolicyHeaderResponseFilter.java b/dsf-fhir/dsf-fhir-server/src/main/java/dev/dsf/fhir/webservice/filter/BrowserPolicyHeaderResponseFilter.java index 822e44f2b..1ae1a4942 100644 --- a/dsf-fhir/dsf-fhir-server/src/main/java/dev/dsf/fhir/webservice/filter/BrowserPolicyHeaderResponseFilter.java +++ b/dsf-fhir/dsf-fhir-server/src/main/java/dev/dsf/fhir/webservice/filter/BrowserPolicyHeaderResponseFilter.java @@ -29,8 +29,16 @@ public void filter(ContainerRequestContext requestContext, ContainerResponseCont headers.add("Cross-Origin-Embedder-Policy", "require-corp"); headers.add("Cross-Origin-Resource-Policy", "same-site"); headers.add("Permissions-Policy", "geolocation=(), camera=(), microphone=()"); - headers.add("Content-Security-Policy", - "frame-ancestors 'none'; default-src 'self'; frame-src 'none'; media-src 'none'; object-src 'none'; worker-src 'none'"); + + if (requestContext.getUriInfo() != null && requestContext.getUriInfo().getPath() != null + && requestContext.getUriInfo().getPath().startsWith("Binary/")) + headers.add("Content-Security-Policy", + "base-uri 'self'; frame-ancestors 'none'; form-action 'self'; default-src 'none'; connect-src 'self'; img-src 'self';" + + " script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'"); + else + headers.add("Content-Security-Policy", + "base-uri 'self'; frame-ancestors 'none'; form-action 'self'; default-src 'none'; connect-src 'self'; img-src 'self';" + + " script-src 'self'; style-src 'self'"); } } } From 61674aff8c656593bd9ace1021518866a3a72d8b Mon Sep 17 00:00:00 2001 From: Hauke Hund Date: Tue, 31 Oct 2023 15:21:03 +0100 Subject: [PATCH 2/2] reworked cipher suites and re-enabled TLS v1.2 TLS v1.2 re-enabled because the default curl implementation on Windows uses Schannel SSP for TLS and Schannel for Windows 10 does not support TLS v1.3 --- dsf-docker-test-setup-3dic-ttp/proxy/nginx.conf | 5 +++-- dsf-docker/fhir_proxy/conf/extra/httpd-ssl.conf | 6 ++++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/dsf-docker-test-setup-3dic-ttp/proxy/nginx.conf b/dsf-docker-test-setup-3dic-ttp/proxy/nginx.conf index e3899ca6d..04ee80c96 100644 --- a/dsf-docker-test-setup-3dic-ttp/proxy/nginx.conf +++ b/dsf-docker-test-setup-3dic-ttp/proxy/nginx.conf @@ -30,8 +30,9 @@ http { ssl_certificate /run/secrets/proxy_certificate_and_int_cas.pem; ssl_certificate_key /run/secrets/proxy_certificate_private_key.pem; - ssl_protocols TLSv1.3; - ssl_prefer_server_ciphers off; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256; + ssl_prefer_server_ciphers on; add_header Strict-Transport-Security "max-age=63072000" always; ssl_client_certificate /run/secrets/proxy_trusted_client_cas.pem; diff --git a/dsf-docker/fhir_proxy/conf/extra/httpd-ssl.conf b/dsf-docker/fhir_proxy/conf/extra/httpd-ssl.conf index a07702ef2..380ddd539 100755 --- a/dsf-docker/fhir_proxy/conf/extra/httpd-ssl.conf +++ b/dsf-docker/fhir_proxy/conf/extra/httpd-ssl.conf @@ -65,7 +65,9 @@ Listen 443 #SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA #SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +SSLCipherSuite SSL ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256 SSLProxyCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +SSLProxyCipherSuite SSL ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256 # User agents such as web browsers are not configured for the user's # own preference of either security or performance, therefore this @@ -80,8 +82,8 @@ SSLHonorCipherOrder on # protocol or later should remain in use. #SSLProtocol all -SSLv3 -TLSv1 #SSLProxyProtocol all -SSLv3 -TLSv1 -SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2 -SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2 +SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 +SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1 # Pass Phrase Dialog: # Configure the pass phrase gathering process.