From 26d08bb44c2c69cbed5f37d5269fc55c44acc2fa Mon Sep 17 00:00:00 2001
From: Keenan Brock <keenan@thebrocks.net>
Date: Tue, 8 Mar 2022 09:26:34 -0500
Subject: [PATCH] adding secure headers to apache

- these are immutable static assets
- adding packs which are also immutable static assets
- adding Cache-Control public to allow proxy servers to cache these files
---
 .../pkg/helpers/miq-components/httpd_conf.go   | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/manageiq-operator/pkg/helpers/miq-components/httpd_conf.go b/manageiq-operator/pkg/helpers/miq-components/httpd_conf.go
index ef2b893b..fc90d734 100644
--- a/manageiq-operator/pkg/helpers/miq-components/httpd_conf.go
+++ b/manageiq-operator/pkg/helpers/miq-components/httpd_conf.go
@@ -432,9 +432,27 @@ LimitRequestFieldSize 524288
   ProxyPreserveHost on
   <Location /assets/>
     Header unset ETag
+    Header set Content-Security-Policy            "default-src 'self'; child-src 'self'; connect-src 'self'; font-src 'self' fonts.gstatic.com; script-src 'self'; style-src 'self'; report-uri /dashboard/csp_report"
+    Header set X-Content-Type-Options             "nosniff"
+    Header set X-Frame-Options                    "SAMEORIGIN"
+    Header set X-Permitted-Cross-Domain-Policies  "none"
+    Header set X-XSS-Protection                   "1; mode=block"
     FileETag None
     ExpiresActive On
     ExpiresDefault "access plus 1 year"
+    Header merge Cache-Control public
+  </Location>
+  <Location /packs/>
+    Header unset ETag
+    Header set Content-Security-Policy            "default-src 'self'; child-src 'self'; connect-src 'self'; font-src 'self' fonts.gstatic.com; script-src 'self'; style-src 'self'; report-uri /dashboard/csp_report"
+    Header set X-Content-Type-Options             "nosniff"
+    Header set X-Frame-Options                    "SAMEORIGIN"
+    Header set X-Permitted-Cross-Domain-Policies  "none"
+    Header set X-XSS-Protection                   "1; mode=block"
+    FileETag None
+    ExpiresActive On
+    ExpiresDefault "access plus 1 year"
+    Header merge Cache-Control public
   </Location>
   <Location /proxy_pages/>
     ErrorDocument 403 /error/noindex.html