From 5dc642ace12b3716c5f5cb6d4a07dcc9360b776f Mon Sep 17 00:00:00 2001
From: sakkiii <saketmittal.09@gmail.com>
Date: Fri, 16 Apr 2021 14:45:04 +0530
Subject: [PATCH 1/3] Nginx element web: XSS protection & nosniff header

X-XSS-Protection: 1; mode=block; header, for basic XSS protection in legacy browsers.
X-Content-Type-Options: nosniff header, to disable MIME sniffing
---
 .../templates/nginx/conf.d/matrix-client-element.conf.j2        | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2
index f56d7fd59..5643af728 100644
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2
@@ -6,6 +6,8 @@
 	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 	add_header X-Content-Type-Options nosniff;
 	add_header X-Frame-Options SAMEORIGIN;
+	add_header X-XSS-Protection "1; mode=block";
+	add_header Content-Security-Policy "frame-ancestors 'none'";
 	{% for configuration_block in matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks %}
 		{{- configuration_block }}
 	{% endfor %}

From 05042f5ff164dc9eebea2746bbb1fd2e2afe6555 Mon Sep 17 00:00:00 2001
From: sakkiii <saketmittal.09@gmail.com>
Date: Sat, 17 Apr 2021 21:03:05 +0530
Subject: [PATCH 2/3] Improve security grafana

- duplicate X-Content-Type-Options
- X-Frame-Options header
- Referrer-Policy [Might consider adding variable]
- Secure flag with cookies
- matrix_grafana_content_security_policy variable for [Content Security Policy](https://grafana.com/docs/grafana/latest/administration/configuration/#content_security_policy)
---
 roles/matrix-grafana/defaults/main.yml                 |  6 ++++++
 roles/matrix-grafana/templates/grafana.ini.j2          |  3 +++
 .../templates/nginx/conf.d/matrix-grafana.conf.j2      | 10 +++++++---
 3 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml
index f358608b7..c8d47d855 100644
--- a/roles/matrix-grafana/defaults/main.yml
+++ b/roles/matrix-grafana/defaults/main.yml
@@ -31,6 +31,12 @@ matrix_grafana_anonymous_access_org_name: 'Main Org.'
 matrix_grafana_default_admin_user: admin
 matrix_grafana_default_admin_password: admin
 
+# Set to true to add the Content-Security-Policy header to your requests.
+# CSP allows to control resources that the user agent can load and helps 
+# prevent XSS attacks.
+# [Content Security Policy](https://grafana.com/docs/grafana/latest/administration/configuration/#content_security_policy)
+matrix_grafana_content_security_policy: true
+
 # A list of extra arguments to pass to the container
 matrix_grafana_container_extra_arguments: []
 
diff --git a/roles/matrix-grafana/templates/grafana.ini.j2 b/roles/matrix-grafana/templates/grafana.ini.j2
index c7fe1d910..38534bc32 100644
--- a/roles/matrix-grafana/templates/grafana.ini.j2
+++ b/roles/matrix-grafana/templates/grafana.ini.j2
@@ -5,6 +5,9 @@ admin_user = "{{ matrix_grafana_default_admin_user }}"
 # default admin password, can be changed before first start of grafana, or in profile settings
 admin_password = """{{ matrix_grafana_default_admin_password }}"""
 
+# specify content_security_policy to add the Content-Security-Policy header to your requests
+content_security_policy = "{{ matrix_grafana_content_security_policy }}"
+
 [auth.anonymous]
 # enable anonymous access
 enabled = {{ matrix_grafana_anonymous_access }}
diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2
index 0e1f1c2d7..cd86f0909 100644
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2
@@ -3,9 +3,13 @@
 {% macro render_vhost_directives() %}
 	gzip on;
 	gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
-	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-	add_header X-Content-Type-Options nosniff;
-	add_header X-Frame-Options SAMEORIGIN;
+	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+	# duplicate X-Content-Type-Options & X-Frame-Options header
+	# Enabled by grafana by default
+	# add_header X-Content-Type-Options nosniff;
+	# add_header X-Frame-Options SAMEORIGIN;
+	add_header Referrer-Policy "strict-origin-when-cross-origin";
+	proxy_cookie_path / "/; HTTPOnly; Secure";
 	{% for configuration_block in matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks %}
 		{{- configuration_block }}
 	{% endfor %}

From 1958d0792d451cfe96bf889bec1d48bede2d92c0 Mon Sep 17 00:00:00 2001
From: sakkiii <saketmittal.09@gmail.com>
Date: Sat, 17 Apr 2021 21:33:07 +0530
Subject: [PATCH 3/3] Update matrix-client-element.conf.j2

---
 .../templates/nginx/conf.d/matrix-client-element.conf.j2        | 2 --
 1 file changed, 2 deletions(-)

diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2
index 5643af728..f56d7fd59 100644
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2
@@ -6,8 +6,6 @@
 	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 	add_header X-Content-Type-Options nosniff;
 	add_header X-Frame-Options SAMEORIGIN;
-	add_header X-XSS-Protection "1; mode=block";
-	add_header Content-Security-Policy "frame-ancestors 'none'";
 	{% for configuration_block in matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks %}
 		{{- configuration_block }}
 	{% endfor %}