Added following security enhancements:

1) Added ALLOWED_HOSTS list to limit the host address. 2) Added CSP and HSTS security header. 3) Hide the webserver/ development framework version. Fixes #5919
2025-02-25 18:55:31 -06:00 · 2020-10-20 17:14:45 +05:30
parent 3413a42af4
commit 08c4deba5a
11 changed files with 148 additions and 11 deletions
--- a/web/pgadmin/utils/security_headers.py
+++ b/web/pgadmin/utils/security_headers.py
@@ -0,0 +1,41 @@
+##########################################################################
+#
+# pgAdmin 4 - PostgreSQL Tools
+#
+# Copyright (C) 2013 - 2020, The pgAdmin Development Team
+# This software is released under the PostgreSQL Licence
+#
+#########################################################################
+
+import config
+
+
+class SecurityHeaders:
+
+    @staticmethod
+    def set_response_headers(response):
+        """set response security headers"""
+
+        params_dict = {
+            'CONTENT_SECURITY_POLICY': 'Content-Security-Policy',
+            'X_CONTENT_TYPE_OPTIONS': 'X-Content-Type-Options',
+            'X_XSS_PROTECTION': 'X-XSS-Protection',
+            'WEB_SERVER': 'Server',
+        }
+
+        # X-Frame-Options for security
+        if config.X_FRAME_OPTIONS != "" and \
+                config.X_FRAME_OPTIONS.lower() != "deny":
+            response.headers["X-Frame-Options"] = config.X_FRAME_OPTIONS
+
+        # Strict-Transport-Security
+        if config.STRICT_TRANSPORT_SECURITY_ENABLED and \
+                config.STRICT_TRANSPORT_SECURITY != "":
+            response.headers["Strict-Transport-Security"] = \
+                config.STRICT_TRANSPORT_SECURITY
+
+        # add other security options
+        for key in params_dict:
+            if key in config.__dict__ and config.__dict__[key] != "" \
+                    and config.__dict__[key] is not None:
+                response.headers[params_dict[key]] = config.__dict__[key]
--- a/web/pgadmin/utils/session.py
+++ b/web/pgadmin/utils/session.py
@@ -311,7 +311,11 @@ class ManagedSessionInterface(SessionInterface):
        response.set_cookie(
            app.session_cookie_name,
            '%s!%s' % (session.sid, session.hmac_digest),
-            expires=cookie_exp, httponly=True, domain=domain
+            expires=cookie_exp,
+            secure=config.SESSION_COOKIE_SECURE,
+            httponly=config.SESSION_COOKIE_HTTPONLY,
+            samesite=config.SESSION_COOKIE_SAMESITE,
+            domain=domain
        )