Ocserv: ocserv_config.tmpl missing security headers from original package

ingeba · November 30, 2023, 4:27pm

I am running VyOS 1.3-rolling-202310091117 and the file /usr/share/vyos/templates/ocserv/ocserv_config.tmpl does not contain the important security headers that are a part of the default config file doc/sample.config · master · OpenConnect VPN projects / ocserv · GitLab

The result of the missing headers can be seen when running an online security scan of ocserv - e.g. using https://securityheaders.com

Missing entries can be appended to the VyOS ocserv template file:

HTTP headers

included-http-headers = Strict-Transport-Security: max-age=31536000 ; includeSubDomains
included-http-headers = X-Frame-Options: deny
included-http-headers = X-Content-Type-Options: nosniff
included-http-headers = Content-Security-Policy: default-src ´none´
included-http-headers = X-Permitted-Cross-Domain-Policies: none
included-http-headers = Referrer-Policy: no-referrer
included-http-headers = Clear-Site-Data: “cache”,“cookies”,“storage”
included-http-headers = Cross-Origin-Embedder-Policy: require-corp
included-http-headers = Cross-Origin-Opener-Policy: same-origin
included-http-headers = Cross-Origin-Resource-Policy: same-origin
included-http-headers = X-XSS-Protection: 0
included-http-headers = Pragma: no-cache
included-http-headers = Cache-control: no-store, no-cache

fernando · December 1, 2023, 3:00pm

good catch , thanks for sharing this missing headers , I’ve created the task in our dev portal :

https://vyos.dev/T5796

if you can share the full configuration or tested with osserv , it would be nice that you can share it.

ingeba · December 1, 2023, 4:03pm

If you can share the full configuration or tested with osserv , it would be nice that you can share it.

I’m afraid I can’t share the full configuration as it contains confidential info, but related to this issue I only made changes to /usr/share/vyos/templates/ocserv/ocserv_config.tmpl which is included here and which I’ve been using for a few weeks. Hope that helps - if there is any other information short of site specific data I can help you with, please ask

ocserv_config.tmpl.txt (3.0 KB)

fernando · December 4, 2023, 6:52pm

Security options was added in our version 1.4/1.5 , already available to test in our nightly version :

https://vyos.dev/T5796

Apachez · December 5, 2023, 6:15am

The headers were added on 2 july 2022 which gives that VyOS 1.3 is older than that (1.3.0 was released 21 december 2021) which is probably why they are missing in the clone used in VyOS:

system · January 4, 2024, 6:15am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.