Add HTTP security headers #2725

New Issue

Closed

opened 2025-12-29 18:21:25 +01:00 by adam · 5 comments

adam commented 2025-12-29 18:21:25 +01:00

Owner

Copy Link

Originally created by @bbock on GitHub (Jul 5, 2019).

Environment

• Python version: 3.6.8
• NetBox version: 2.6.1

Proposed Functionality

In Netbox, several modern HTTP security headers are missing.

As a result, e.g. in the tool Security Headers, Netbox only yields a grade "D". Potential security bugs (especially XSS) would be harder to exploit if they are set correctly.

Missing are (ordered from easy to hard to implement):

• X-Content-Type-Options: Stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type.
• X-XSS-Protection: Sets the configuration for the cross-site scripting filter built into most browsers.
• Referrer-Policy: Allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites.
• Feature-Policy: Allows a site to control which features and APIs can be used in the browser.
• Content Security Policy: An effective measure to protect the site from XSS attacks.

In the documentation, you recommend to add the X-Forwarded-Proto header. This allow Netbox to use additionally use relevant headers and options for HTTPS only:

• Strict Transport Security for HTTPS (debatable whether this should be added by the proxy doing HTTPS termination, as this is typically not done in the application itself.)
• The "secure" flag for cookies could be added.

Database Changes and External Dependencies

None are expected.

Documentation

Bonus Points:

The P3P policy included in the nginx example in the documentation is obsolete and should be removed.

Originally created by @bbock on GitHub (Jul 5, 2019). ### Environment * Python version: 3.6.8 * NetBox version: 2.6.1 ### Proposed Functionality In Netbox, several modern HTTP security headers are missing. As a result, e.g. in the tool [Security Headers](https://securityheaders.com/), Netbox only yields a grade "D". Potential security bugs (especially XSS) would be harder to exploit if they are set correctly. Missing are (ordered from easy to hard to implement): - [X-Content-Type-Options](https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options): Stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. - [X-XSS-Protection](https://scotthelme.co.uk/hardening-your-http-response-headers/#x-xss-protection): Sets the configuration for the cross-site scripting filter built into most browsers. - [Referrer-Policy](https://scotthelme.co.uk/a-new-security-header-referrer-policy/): Allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites. - [Feature-Policy](https://scotthelme.co.uk/a-new-security-header-feature-policy/): Allows a site to control which features and APIs can be used in the browser. - [Content Security Policy](https://scotthelme.co.uk/content-security-policy-an-introduction/): An effective measure to protect the site from XSS attacks. In the documentation, you recommend to add the `X-Forwarded-Proto` header. This allow Netbox to use additionally use relevant headers and options for HTTPS only: - [Strict Transport Security](https://scotthelme.co.uk/hsts-the-missing-link-in-tls/) for HTTPS (debatable whether this should be added by the proxy doing HTTPS termination, as this is typically not done in the application itself.) - The "secure" flag for cookies could be added. ### Database Changes and External Dependencies None are expected. ### Documentation Bonus Points: The [P3P policy included in the nginx example](https://netbox.readthedocs.io/en/stable/installation/3-http-daemon/#option-a-nginx) in the documentation [is obsolete](https://www.w3.org/TR/P3P11/) and should be removed.

adam added the type: documentationstatus: needs owner labels 2025-12-29 18:21:25 +01:00

adam closed this issue 2025-12-29 18:21:26 +01:00

adam commented 2025-12-29 18:21:26 +01:00

Author

Owner

Copy Link

@bellwood commented on GitHub (Nov 1, 2019):

Just having gone through securityheaders.com for clients I can say that some of this is beyond the scope of Netbox and more tailored to server security and "best practices" and can largely be per-installation.

To what depth one wants to go will largely be determined by company policy and the level of exposure your Netbox installation has to the public at large. Changes to anything inline or external with the source code (fonts, styles, scripts, etc) would have to be considered by anyone rolling these headers and make updates as needed.

As these things evolve, a maintainer will have to keep up with it and as @jeremystretch has stated, there is enough work already not getting done on the core let alone things that are loosely associated.

Not to say we cannot document this, just, perhaps we make a footnote to "Test and secure your installation via securityheaders.com" and let individual admins make those choices as they see fit?

@bellwood commented on GitHub (Nov 1, 2019): Just having gone through securityheaders.com for clients I can say that some of this is beyond the scope of Netbox and more tailored to server security and "best practices" and can largely be per-installation. To what depth one wants to go will largely be determined by company policy and the level of exposure your Netbox installation has to the public at large. Changes to anything inline or external with the source code (fonts, styles, scripts, etc) would have to be considered by anyone rolling these headers and make updates as needed. As these things evolve, a maintainer will have to keep up with it and as @jeremystretch has stated, there is enough work already not getting done on the core let alone things that are loosely associated. Not to say we cannot document this, just, perhaps we make a footnote to "Test and secure your installation via securityheaders.com" and let individual admins make those choices as they see fit?

adam commented 2025-12-29 18:21:27 +01:00

Author

Owner

Copy Link

@kobayashi commented on GitHub (Nov 2, 2019):

Hi @bbock,

Thank you for interesting netbox.
For the security headers, I would like to know about which site do you mention. If that is official docs, It's better to ask about the issue to readthedocs which provides documentation hosting service to many open source docs.

For P3P policy described as bonus point, thanks to let us know. Are you interested in updating the part?

@kobayashi commented on GitHub (Nov 2, 2019): Hi @bbock, Thank you for interesting netbox. For the security headers, I would like to know about which site do you mention. If that is [official docs](https://netbox.readthedocs.io/), It's better to ask about the issue to [readthedocs](https://docs.readthedocs.io/en/stable/security.html) which provides documentation hosting service to many open source docs. For P3P policy described as bonus point, thanks to let us know. Are you interested in updating the part?

adam commented 2025-12-29 18:21:27 +01:00

Author

Owner

Copy Link

@bbock commented on GitHub (Nov 8, 2019):

@kobayashi I'm not talking about the docs site, but netbox itself.

While many of the headers could be added in a proxy (probably everything except the cookie flag), I believe that netbox would benefit by a secure-by-default setup.

I created a trivial pull request to remove the P3P header from the docs (#3684), but cannot currently put more time into this at the moment.

@bbock commented on GitHub (Nov 8, 2019): @kobayashi I'm not talking about the docs site, but netbox itself. While many of the headers could be added in a proxy (probably everything except the cookie flag), I believe that netbox would benefit by a secure-by-default setup. I created a trivial pull request to remove the P3P header from the docs (#3684), but cannot currently put more time into this at the moment.

adam commented 2025-12-29 18:21:27 +01:00

Author

Owner

Copy Link

@kobayashi commented on GitHub (Nov 8, 2019):

Thank you for taking your time.
The security header depends on each user though, it is helpful to see samples in the docs.
I will see your PR later.
Just make sure if ok to close after merge it? Or I will keep this if you want to add more. @bbock

@kobayashi commented on GitHub (Nov 8, 2019): Thank you for taking your time. The security header depends on each user though, it is helpful to see samples in the docs. I will see your PR later. Just make sure if ok to close after merge it? Or I will keep this if you want to add more. @bbock

adam commented 2025-12-29 18:21:28 +01:00

Author

Owner

Copy Link

@kobayashi commented on GitHub (Nov 12, 2019):

Close by #3684

@kobayashi commented on GitHub (Nov 12, 2019): Close by #3684

adam referenced this issue 2025-12-29 22:21:30 +01:00

[PR #2725] [MERGED] Release v2.5.2 #12425

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

update-changelog-comments-docs

feature-removal-issue-type

20911-dropdown

20239-plugin-menu-classes-mutable-state

21097-graphql-id-lookups

feature

fix_module_substitution

20923-dcim-templates

20044-elevation-stuck-lightmode

feature-ip-prefix-link

v4.5-beta1-release

20068-import-moduletype-attrs

20766-fix-german-translation-code-literals

20378-del-script

7604-filter-modifiers-v3

circuit-swap

12318-case-insensitive-uniqueness

20637-improve-device-q-filter

20660-script-load

19724-graphql

20614-update-ruff

14884-script

02496-max-page

19720-macaddress-interface-generic-relation

19408-circuit-terminations-export-templates

20203-openapi-check

fix-19669-api-image-download

7604-filter-modifiers

19275-fixes-interface-bulk-edit

fix-17794-get_field_value_return_list

11507-show-aggregate-and-rir-on-api

9583-add_column_specific_search_field_to_tables

v4.5.0

v4.4.10

v4.4.9

v4.5.0-beta1

v4.4.8

v4.4.7

v4.4.6

v4.4.5

v4.4.4

v4.4.3

v4.4.2

v4.4.1

v4.4.0

v4.3.7

v4.4.0-beta1

v4.3.6

v4.3.5

v4.3.4

v4.3.3

v4.3.2

v4.3.1

v4.3.0

v4.2.9

v4.3.0-beta2

v4.2.8

v4.3.0-beta1

v4.2.7

v4.2.6

v4.2.5

v4.2.4

v4.2.3

v4.2.2

v4.2.1

v4.2.0

v4.1.11

v4.1.10

v4.1.9

v4.1.8

v4.2-beta1

v4.1.7

v4.1.6

v4.1.5

v4.1.4

v4.1.3

v4.1.2

v4.1.1

v4.1.0

v4.0.11

v4.0.10

v4.0.9

v4.1-beta1

v4.0.8

v4.0.7

v4.0.6

v4.0.5

v4.0.3

v4.0.2

v4.0.1

v4.0.0

v3.7.8

v3.7.7

v4.0-beta2

v3.7.6

v3.7.5

v4.0-beta1

v3.7.4

v3.7.3

v3.7.2

v3.7.1

v3.7.0

v3.6.9

v3.6.8

v3.6.7

v3.7-beta1

v3.6.6

v3.6.5

v3.6.4

v3.6.3

v3.6.2

v3.6.1

v3.6.0

v3.5.9

v3.6-beta2

v3.5.8

v3.6-beta1

v3.5.7

v3.5.6

v3.5.5

v3.5.4

v3.5.3

v3.5.2

v3.5.1

v3.5.0

v3.4.10

v3.4.9

v3.5-beta2

v3.4.8

v3.5-beta1

v3.4.7

v3.4.6

v3.4.5

v3.4.4

v3.4.3

v3.4.2

v3.4.1

v3.4.0

v3.3.10

v3.3.9

v3.4-beta1

v3.3.8

v3.3.7

v3.3.6

v3.3.5

v3.3.4

v3.3.3

v3.3.2

v3.3.1

v3.3.0

v3.2.9

v3.2.8

v3.3-beta2

v3.2.7

v3.3-beta1

v3.2.6

v3.2.5

v3.2.4

v3.2.3

v3.2.2

v3.2.1

v3.2.0

v3.1.11

v3.1.10

v3.2-beta2

v3.1.9

v3.2-beta1

v3.1.8

v3.1.7

v3.1.6

v3.1.5

v3.1.4

v3.1.3

v3.1.2

v3.1.1

v3.1.0

v3.0.12

v3.0.11

v3.0.10

v3.1-beta1

v3.0.9

v3.0.8

v3.0.7

v3.0.6

v3.0.5

v3.0.4

v3.0.3

v3.0.2

v3.0.1

v3.0.0

v2.11.12

v3.0-beta2

v2.11.11

v2.11.10

v3.0-beta1

v2.11.9

v2.11.8

v2.11.7

v2.11.6

v2.11.5

v2.11.4

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.10

v2.10.9

v2.11-beta1

v2.10.8

v2.10.7

v2.10.6

v2.10.5

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.11

v2.10-beta2

v2.9.10

v2.10-beta1

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.9-beta2

v2.8.9

v2.9-beta1

v2.8.8

v2.8.7

v2.8.6

v2.8.5

v2.8.4

v2.8.3

v2.8.2

v2.8.1

v2.8.0

v2.7.12

v2.7.11

v2.7.10

v2.7.9

v2.7.8

v2.7.7

v2.7.6

v2.7.5

v2.7.4

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.12

v2.6.11

v2.6.10

v2.6.9

v2.7-beta1

Solcon-2020-01-06

v2.6.8

v2.6.7

v2.6.6

v2.6.5

v2.6.4

v2.6.3

v2.6.2

v2.6.1

v2.6.0

v2.5.13

v2.5.12

v2.6-beta1

v2.5.11

v2.5.10

v2.5.9

v2.5.8

v2.5.7

v2.5.6

v2.5.5

v2.5.4

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.4.9

v2.5-beta2

v2.4.8

v2.5-beta1

v2.4.7

v2.4.6

v2.4.5

v2.4.4

v2.4.3

v2.4.2

v2.4.1

v2.4.0

v2.3.7

v2.4-beta1

v2.3.6

v2.3.5

v2.3.4

v2.3.3

v2.3.2

v2.3.1

v2.3.0

v2.2.10

v2.3-beta2

v2.2.9

v2.3-beta1

v2.2.8

v2.2.7

v2.2.6

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.6

v2.2-beta2

v2.1.5

v2.2-beta1

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v2.0.10

v2.1-beta1

v2.0.9

v2.0.8

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v2.0-beta3

v1.9.6

v1.9.5

v2.0-beta2

v1.9.4-r1

v1.9.3

v2.0-beta1

v1.9.2

v1.9.1

v1.9.0-r1

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.7.3

v1.7.2-r1

v1.7.1

v1.7.0

v1.6.3

v1.6.2-r1

v1.6.1-r1

1.6.1

v1.6.0

v1.5.2

v1.5.1

v1.5.0

v1.4.2

v1.4.1

v1.4.0

v1.3.2

v1.3.1

v1.3.0

v1.2.2

v1.2.1

v1.2.0

v1.1.0

v1.0.7-r1

v1.0.7

v1.0.6

v1.0.5

v1.0.4

v1.0.3-r1

v1.0.3

1.0.0

Labels

Clear labels

beta

breaking change

complexity: high

complexity: low

complexity: medium

needs milestone

netbox

pending closure

plugin candidate

pull-request

Mirrored from GitHub Pull Request

severity: high

severity: low

severity: medium

status: accepted

status: backlog

status: blocked

status: duplicate

status: needs owner

status: needs triage

status: revisions needed

status: under review

topic: GraphQL

topic: Internationalization

topic: OpenAPI

topic: UI/UX

topic: cabling

topic: event rules

topic: htmx navigation

topic: industrialization

topic: migrations

topic: plugins

topic: scripts

topic: templating

topic: testing

type: bug

type: deprecation

type: documentation

type: feature

type: housekeeping

type: translation

No Label status: needs owner type: documentation

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/netbox#2725