From edc658f77157685a6bcd472df4534adb805113f5 Mon Sep 17 00:00:00 2001
From: Enol Fernandez <enol.fernandez@egi.eu>
Date: Fri, 28 Feb 2025 12:56:22 +0000
Subject: [PATCH] Set some headers as recommended by Pentesting

---
 common/playbooks/k8s.yaml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/common/playbooks/k8s.yaml b/common/playbooks/k8s.yaml
index 2a0ce76..058919e 100644
--- a/common/playbooks/k8s.yaml
+++ b/common/playbooks/k8s.yaml
@@ -358,7 +358,12 @@
           --set controller.service.type=NodePort
           --set controller.service.externalIPs={{ '{' + hostvars[groups['ingress'][0]].ansible_default_ipv4.address + '}' }}
           --set controller.config.proxy-body-size=0
+          --set controller.config.hide-headers='x-jupyterhub-version'
           --set controller.allowSnippetAnnotations=false
+          --set controller.addHeaders.X-Content-Type-Options=nosniff
+          --set controller.addHeaders.Referrer-Policy=no-referrer
+          --set controller.addHeaders.Permissions-Policy="geolocation=()"
+          --set controller.addHeaders.Content-Security-Policy="frame-ancestors 'none'; report-uri /hub/security/csp-report; default-src 'self'"
           --version={{ version }}
       shell: |-
         helm status --namespace kube-system cluster-ingress
-- 
GitLab