Browse Source

Add upgrade-insecure-requests to CSP when HTTPS is enabled

This option automatically upgrades all http connections to https.
It ensures http urls cannot be accessed when in https mode, and is intended as a security measure.
adaptive-webui-19844
Thomas Piccirello 7 years ago
parent
commit
8f98f87d12
  1. 4
      src/webui/webapplication.cpp
  2. 1
      src/webui/webapplication.h

4
src/webui/webapplication.cpp

@ -431,6 +431,7 @@ void WebApplication::configure()
m_isClickjackingProtectionEnabled = pref->isWebUiClickjackingProtectionEnabled(); m_isClickjackingProtectionEnabled = pref->isWebUiClickjackingProtectionEnabled();
m_isCSRFProtectionEnabled = pref->isWebUiCSRFProtectionEnabled(); m_isCSRFProtectionEnabled = pref->isWebUiCSRFProtectionEnabled();
m_isHttpsEnabled = pref->isWebUiHttpsEnabled();
} }
void WebApplication::registerAPIController(const QString &scope, APIController *controller) void WebApplication::registerAPIController(const QString &scope, APIController *controller)
@ -538,6 +539,9 @@ Http::Response WebApplication::processRequest(const Http::Request &request, cons
header(Http::HEADER_X_FRAME_OPTIONS, "SAMEORIGIN"); header(Http::HEADER_X_FRAME_OPTIONS, "SAMEORIGIN");
csp += QLatin1String(" frame-ancestors 'self';"); csp += QLatin1String(" frame-ancestors 'self';");
} }
if (m_isHttpsEnabled) {
csp += QLatin1String(" upgrade-insecure-requests;");
}
header(Http::HEADER_CONTENT_SECURITY_POLICY, csp); header(Http::HEADER_CONTENT_SECURITY_POLICY, csp);

1
src/webui/webapplication.h

@ -146,4 +146,5 @@ private:
// security related // security related
bool m_isClickjackingProtectionEnabled; bool m_isClickjackingProtectionEnabled;
bool m_isCSRFProtectionEnabled; bool m_isCSRFProtectionEnabled;
bool m_isHttpsEnabled;
}; };

Loading…
Cancel
Save