[RFE] Harden Apache security #121

carma12 · 2023-06-29T07:12:47Z

As stated here, there are some security issues with Apache in IPA.

Highlights:

IPA sets Content-Security-Policy in ipa.conf:
- Header always append Content-Security-Policy "frame-ancestors 'none'"
- none means no resources are allowed to load so it's no wonder that the page is blank.
It just doesn't set the default-src or script-src values.
IPA always sets X-Frame:
- Header always append X-Frame-Options DENY

We would need to evaluate the UI to support the additional CSP values (e.g. how scripts are loaded, inline scripts, etc).

The text was updated successfully, but these errors were encountered:

github-actions · 2023-12-11T12:46:55Z

This issue has not received any attention in 120 days.

carma12 · 2023-12-11T13:08:36Z

Removed stale label as this will be eventually addressed.

github-actions · 2024-12-11T12:58:28Z

This issue has not received any attention in 365 days.

carma12 added the enhancement New feature or request label Jun 29, 2023

github-actions bot added the stale This PR/issue is stale and will be closed label Dec 11, 2023

carma12 removed the stale This PR/issue is stale and will be closed label Dec 11, 2023

github-actions bot added the stale This PR/issue is stale and will be closed label Dec 11, 2024

carma12 removed the stale This PR/issue is stale and will be closed label Dec 11, 2024

Provide feedback