IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

switches default value for security settings (#25175)

Browse Source 
closes #25163
This commit is contained in:
Carl Bergquist 2020-05-28 10:38:22 +02:00 committed by GitHub
parent 3833aa416d
commit 328ea80cca
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 10 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
conf/defaults.ini
View File

@ -202,12 +202,12 @@ strict_transport_security_subdomains = false
# Set to true to enable the X-Content-Type-Options response header. # Set to true to enable the X-Content-Type-Options response header.
# The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised # The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised
# in the Content-Type headers should not be changed and be followed. The default will change to true in the next minor release, 6.3. # in the Content-Type headers should not be changed and be followed.
x_content_type_options = false x_content_type_options = true
# Set to true to enable the X-XSS-Protection header, which tells browsers to stop pages from loading # Set to true to enable the X-XSS-Protection header, which tells browsers to stop pages from loading
# when they detect reflected cross-site scripting (XSS) attacks. The default will change to true in the next minor release, 6.3. # when they detect reflected cross-site scripting (XSS) attacks.
x_xss_protection = false x_xss_protection = true
#################################### Snapshots ########################### #################################### Snapshots ###########################

8
conf/sample.ini
View File

@ -203,12 +203,12 @@
# Set to true to enable the X-Content-Type-Options response header. # Set to true to enable the X-Content-Type-Options response header.
# The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised # The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised
# in the Content-Type headers should not be changed and be followed. The default will change to true in the next minor release, 6.3. # in the Content-Type headers should not be changed and be followed.
;x_content_type_options = false ;x_content_type_options = true
# Set to true to enable the X-XSS-Protection header, which tells browsers to stop pages from loading # Set to true to enable the X-XSS-Protection header, which tells browsers to stop pages from loading
# when they detect reflected cross-site scripting (XSS) attacks. The default will change to true in the next minor release, 6.3. # when they detect reflected cross-site scripting (XSS) attacks.
;x_xss_protection = false ;x_xss_protection = true
#################################### Snapshots ########################### #################################### Snapshots ###########################
[snapshots] [snapshots]

4
pkg/setting/setting.go
View File

@ -751,8 +751,8 @@ func (cfg *Cfg) Load(args *CommandLineArgs) error {
AllowEmbedding = security.Key("allow_embedding").MustBool(false) AllowEmbedding = security.Key("allow_embedding").MustBool(false)
ContentTypeProtectionHeader = security.Key("x_content_type_options").MustBool(false) ContentTypeProtectionHeader = security.Key("x_content_type_options").MustBool(true)
XSSProtectionHeader = security.Key("x_xss_protection").MustBool(false) XSSProtectionHeader = security.Key("x_xss_protection").MustBool(true)
StrictTransportSecurity = security.Key("strict_transport_security").MustBool(false) StrictTransportSecurity = security.Key("strict_transport_security").MustBool(false)
StrictTransportSecurityMaxAge = security.Key("strict_transport_security_max_age_seconds").MustInt(86400) StrictTransportSecurityMaxAge = security.Key("strict_transport_security_max_age_seconds").MustInt(86400)
StrictTransportSecurityPreload = security.Key("strict_transport_security_preload").MustBool(false) StrictTransportSecurityPreload = security.Key("strict_transport_security_preload").MustBool(false)