You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/03/11 01:23:59 UTC
[GitHub] [apisix-dashboard] starsz commented on a change in pull request #2341: feat: add security header
starsz commented on a change in pull request #2341:
URL: https://github.com/apache/apisix-dashboard/pull/2341#discussion_r824311862
##########
File path: api/conf/conf.yaml
##########
@@ -60,6 +60,14 @@ conf:
# such as absolute path on Windows: winfile:///C:\access.log
# log example: 2020-12-09T16:38:09.039+0800 INFO filter/logging.go:46 /apisix/admin/routes/r1 {"status": 401, "host": "127.0.0.1:9000", "query": "asdfsafd=adf&a=a", "requestId": "3d50ecb8-758c-46d1-af5b-cd9d1c820156", "latency": 0, "remoteIP": "127.0.0.1", "method": "PUT", "errs": []}
max_cpu: 0 # supports tweaking with the number of OS threads are going to be used for parallelism. Default value: 0 [will use max number of available cpu cores considering hyperthreading (if any)]. If the value is negative, is will not touch the existing parallelism profile.
+ # security:
+ # access_control_allow_origin: "http:httpbin.org"
+ # access_control_allow_credentials: true # support user custom cors configration
Review comment:
```suggestion
# access_control_allow_credentials: true # support using custom cors configration
```
##########
File path: api/conf/conf.yaml
##########
@@ -60,6 +60,14 @@ conf:
# such as absolute path on Windows: winfile:///C:\access.log
# log example: 2020-12-09T16:38:09.039+0800 INFO filter/logging.go:46 /apisix/admin/routes/r1 {"status": 401, "host": "127.0.0.1:9000", "query": "asdfsafd=adf&a=a", "requestId": "3d50ecb8-758c-46d1-af5b-cd9d1c820156", "latency": 0, "remoteIP": "127.0.0.1", "method": "PUT", "errs": []}
max_cpu: 0 # supports tweaking with the number of OS threads are going to be used for parallelism. Default value: 0 [will use max number of available cpu cores considering hyperthreading (if any)]. If the value is negative, is will not touch the existing parallelism profile.
+ # security:
+ # access_control_allow_origin: "http:httpbin.org"
Review comment:
```suggestion
# access_control_allow_origin: "http://httpbin.org"
```
##########
File path: api/internal/filter/cors.go
##########
@@ -16,14 +16,36 @@
*/
package filter
-import "github.com/gin-gonic/gin"
+import (
+ "github.com/apisix/manager-api/internal/conf"
Review comment:
Code style.
##########
File path: api/internal/conf/conf.go
##########
@@ -316,3 +330,24 @@ func initParallelism(choiceCores int) {
}
runtime.GOMAXPROCS(choiceCores)
}
+
+// initialize security settings
+func initSecurity(conf Security) {
+ var se Security
+ // if conf == se, then conf is empty, we should use default value
+ if conf != se {
+ SecurityConf = conf
+ if conf.ContentSecurityPolicy == "" {
+ SecurityConf.ContentSecurityPolicy = "default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
+ }
+ if conf.XFrameOptions == "" {
+ SecurityConf.XFrameOptions = "deny"
+ }
+ return
+ }
+
+ SecurityConf = Security{
+ XFrameOptions: "deny",
+ ContentSecurityPolicy: "default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'",
+ }
Review comment:
So we don't have the default value of `AllowCredentials` `AllowOrigin` `AllowMethods` `AllowHeaders`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org