Add CSP, HSTS and X-Content-Type-Options

ONLYOFFICE / Docker-DocumentServer

ONLYOFFICE Document Server is an online office suite comprising viewers and editors for texts, spreadsheets and presentations, fully compatible with Office Open XML formats: .docx, .xlsx, .pptx and enabling collaborative editing in real time.

GNU Affero General Public License v3.0

1.37k stars 470 forks source link

Add CSP, HSTS and X-Content-Type-Options #719

Open rmsmgaspar opened 5 months ago

rmsmgaspar commented 5 months ago

This issue is unique.

[X] I have used the search tool and did not find an issue describing my idea.

Your idea.

Regarding webpage security, there is the need to create headers security with: Content Security Policy (CSP) HTTP Strict Transport Security (HSTS) X-Content-Type-Options Right now this is not possible with the docker version, it's possible to have this implemented or with some environment variables to input? thanks in advance.

igwyd commented 5 months ago

Hello @rmsmgaspar, we add automaticaly add_header X-Content-Type-Options nosniff; and add_header Strict-Transport-Security max-age=31536000; to the nginx config if you Running ONLYOFFICE Document Server using HTTPS and we have docker variables for settings up HSTS. Regarding CSP is not implemented, i create ticket #66988 with your proposal. BTW, you can configure any security settings yourself if you use an external proxy, our examples for proxies are here.

rmsmgaspar commented 5 months ago

Thanks