Skip to content

Commit

Permalink
docs: Update documents with rest-csp option
Browse files Browse the repository at this point in the history 
Changelog-Added: New configurable Content-Security-Policy (CSP) header for clnrest
  • Loading branch information
@ShahanaFarooqui @rustyrussell
ShahanaFarooqui authored and rustyrussell committed Sep 19, 2023
1 parent 3108ff9 commit 1a18f61
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 1 deletion.
5 changes: 4 additions & 1 deletion doc/developers-guide/app-development/rest.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,10 @@ If `rest-port` is not specified, the plugin will disable itself.
- --rest-port: Sets the REST server port to listen to (3010 is common)
- --rest-protocol: Specifies the REST server protocol. Default is HTTPS.
- --rest-host: Defines the REST server host. Default is 127.0.0.1.
- --rest-certs: Defines the path for HTTPS cert & key. Default path is same as RPC file path to utilize gRPC's client certificate. If it is missing at the configured location, new identity (`client.pem` and `client-key.pem`) will be generated.
- --rest-certs: Defines the path for HTTPS cert & key. Default path is same as RPC file path to utilize gRPC's client certificate. If it is missing at the configured location, new identity will be generated.
- --rest-csp: Creates a whitelist of trusted content sources that can run on a webpage and helps mitigate the risk of attacks.
Default CSP is set as `default-src 'self'; font-src 'self'; img-src 'self' data:; frame-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline';`.
Example CSP: `rest-csp=default-src 'self'; font-src 'self'; img-src 'self'; frame-src 'self'; style-src 'self'; script-src 'self';`.
- --rest-cors-origins: Define multiple origins which are allowed to share resources on web pages to a domain different from the one that served the web page. Default is `*` which allows all origins. Example to define multiple origins:

```
Expand Down
3 changes: 3 additions & 0 deletions doc/lightningd-config.5.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -642,6 +642,9 @@ authenticate to the Tor control port.

Define multiple origins which are allowed to share resources on web pages to a domain different from the one that served the web page. Default is `*` which allows all origins.

* **rest-csp**=*CSPOLICY* [plugin `clnrest.py`]

Creates a whitelist of trusted content sources that can run on a webpage and helps mitigate the risk of attacks. Default CSP is `default-src 'self'; font-src 'self'; img-src 'self' data:; frame-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline';`.

### Lightning Plugins

Expand Down

0 comments on commit 1a18f61

Please sign in to comment.