Add support for security-related HTTP headers (#9546)

Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu>
2024-12-25 21:54:10 -08:00 · 2021-10-19 21:26:52 +02:00 · 2021-10-19 21:26:52 +02:00 · df1bae0514
parent 2a574bf8c2
commit df1bae0514
3 changed files with 27 additions and 2 deletions
--- a/docs/configuration/https.md
+++ b/docs/configuration/https.md
@ -73,6 +73,30 @@ http_server_config:
  # Enable HTTP/2 support. Note that HTTP/2 is only supported with TLS.
  # This can not be changed on the fly.
  [ http2: <boolean> | default = true ]
+  # List of headers that can be added to HTTP responses.
+  [ headers:
+    # Set the Content-Security-Policy header to HTTP responses.
+    # Unset if blank.
+    [ Content-Security-Policy: <string> ]
+    # Set the X-Frame-Options header to HTTP responses.
+    # Unset if blank. Accepted values are deny and sameorigin.
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+    [ X-Frame-Options: <string> ]
+    # Set the X-Content-Type-Options header to HTTP responses.
+    # Unset if blank. Accepted value is nosniff.
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
+    [ X-Content-Type-Options: <string> ]
+    # Set the X-XSS-Protection header to all responses.
+    # Unset if blank. Accepted value is nosniff.
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
+    [ X-XSS-Protection: <string> ]
+    # Set the Strict-Transport-Security header to HTTP responses.
+    # Unset if blank.
+    # Please make sure that you use this with care as this header might force
+    # browsers to load Prometheus and the other applications hosted on the same
+    # domain and subdomains over HTTPS.
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
+    [ Strict-Transport-Security: <string> ] ]

 # Usernames and hashed passwords that have full access to the web
 # server via basic authentication. If empty, no basic authentication is
--- a/go.mod
+++ b/go.mod
@ -49,7 +49,7 @@ require (
 	github.com/prometheus/client_model v0.2.0
 	github.com/prometheus/common v0.31.1
 	github.com/prometheus/common/sigv4 v0.1.0
-	github.com/prometheus/exporter-toolkit v0.6.1
+	github.com/prometheus/exporter-toolkit v0.7.0
 	github.com/scaleway/scaleway-sdk-go v1.0.0-beta.7.0.20210223165440-c65ae3540d44
 	github.com/shurcooL/httpfs v0.0.0-20190707220628-8d4bc4ba7749
 	github.com/shurcooL/vfsgen v0.0.0-20200824052919-0d455de96546
--- a/go.sum
+++ b/go.sum
@ -1147,8 +1147,9 @@ github.com/prometheus/common v0.31.1 h1:d18hG4PkHnNAKNMOmFuXFaiY8Us0nird/2m60uS1
 github.com/prometheus/common v0.31.1/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls=
 github.com/prometheus/common/sigv4 v0.1.0 h1:qoVebwtwwEhS85Czm2dSROY5fTo2PAPEVdDeppTwGX4=
 github.com/prometheus/common/sigv4 v0.1.0/go.mod h1:2Jkxxk9yYvCkE5G1sQT7GuEXm57JrvHu9k5YwTjsNtI=
-github.com/prometheus/exporter-toolkit v0.6.1 h1:Aqk75wQD92N9CqmTlZwjKwq6272nOGrWIbc8Z7+xQO0=
 github.com/prometheus/exporter-toolkit v0.6.1/go.mod h1:ZUBIj498ePooX9t/2xtDjeQYwvRpiPP2lh5u4iblj2g=
+github.com/prometheus/exporter-toolkit v0.7.0 h1:XtYeVeeC5daG4txbc9+mieKq+/AK4gtIBLl9Mulrjnk=
+github.com/prometheus/exporter-toolkit v0.7.0/go.mod h1:ZUBIj498ePooX9t/2xtDjeQYwvRpiPP2lh5u4iblj2g=
 github.com/prometheus/procfs v0.0.0-20180125133057-cb4147076ac7/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=