|
|
<template lang='pug'> v-container(fluid, grid-list-lg) v-layout(row wrap) v-flex(xs12) .admin-header img.animated.fadeInUp(src='/_assets/svg/icon-private.svg', alt='Security', style='width: 80px;') .admin-header-title .headline.primary--text.animated.fadeInLeft {{ $t('admin:security.title') }} .subtitle-1.grey--text.animated.fadeInLeft {{ $t('admin:security.subtitle') }} v-spacer v-btn.animated.fadeInDown(color='success', depressed, @click='save', large) v-icon(left) mdi-check span {{$t('common:actions.apply')}} v-form.pt-3 v-layout(row wrap) v-flex(lg6 xs12) v-card.animated.fadeInUp v-toolbar(color='red darken-2', dark, dense, flat) v-toolbar-title.subtitle-1 Security v-card-info(color='red') span Make sure to understand the implications before turning on / off a security feature. v-card-text v-switch( inset label='Block Open Redirect' color='red darken-2' v-model='config.securityOpenRedirect' persistent-hint hint='Prevents user controlled URLs from directing to websites outside of your wiki. This provides Open Redirect protection.' )
v-divider.mt-3 v-switch.mt-3( inset label='Block IFrame Embedding' color='red darken-2' v-model='config.securityIframe' persistent-hint hint='Prevents other websites from embedding your wiki in an iframe. This provides clickjacking protection.' )
v-divider.mt-3 v-switch( inset label='Same Origin Referrer Policy' color='red darken-2' v-model='config.securityReferrerPolicy' persistent-hint hint='Limits the referrer header to same origin.' )
v-divider.mt-3 v-switch( inset label='Trust X-Forwarded-* Proxy Headers' color='red darken-2' v-model='config.securityTrustProxy' persistent-hint hint='Should be enabled when using a reverse-proxy like nginx, apache, CloudFlare, etc in front of Wiki.js. Turn off otherwise.' )
//- v-divider.mt-3
//- v-switch(
//- inset
//- label='Subresource Integrity (SRI)'
//- color='red darken-2'
//- v-model='config.securitySRI'
//- persistent-hint
//- hint='This ensure that resources such as CSS and JS files are not altered during delivery.'
//- disabled
//- )
v-divider.mt-3 v-switch( inset label='Enforce HSTS' color='red darken-2' v-model='config.securityHSTS' persistent-hint hint='This ensures the connection cannot be established through an insecure HTTP connection.' ) v-select.mt-5( outlined label='HSTS Max Age' :items='hstsDurations' v-model='config.securityHSTSDuration' prepend-icon='mdi-subdirectory-arrow-right' :disabled='!config.securityHSTS' hide-details style='max-width: 450px;' ) .pl-11.mt-3 .caption Defines the duration for which the server should only deliver content through HTTPS. .caption It's a good idea to start with small values and make sure that nothing breaks on your wiki before moving to longer values.
//- v-divider.mt-3
//- v-switch(
//- inset
//- label='Enforce CSP'
//- color='red darken-2'
//- v-model='config.securityCSP'
//- persistent-hint
//- hint='Restricts scripts to pre-approved content sources.'
//- disabled
//- )
//- v-textarea.mt-5(
//- label='CSP Directives'
//- outlined
//- v-model='config.securityCSPDirectives'
//- prepend-icon='mdi-subdirectory-arrow-right'
//- persistent-hint
//- hint='One directive per line.'
//- disabled
//- )
v-flex(lg6 xs12) v-card.animated.fadeInUp.wait-p2s v-toolbar(color='primary', dark, dense, flat) v-toolbar-title.subtitle-1 {{ $t('admin:security.uploads') }} v-card-info(color='blue') span {{$t('admin:security.uploadsInfo')}} v-card-text v-text-field.mt-3( outlined :label='$t(`admin:security.maxUploadSize`)' required v-model='config.uploadMaxFileSize' prepend-icon='mdi-progress-upload' :hint='$t(`admin:security.maxUploadSizeHint`)' persistent-hint :suffix='$t(`admin:security.maxUploadSizeSuffix`)' style='max-width: 450px;' ) v-text-field.mt-3( outlined :label='$t(`admin:security.maxUploadBatch`)' required v-model='config.uploadMaxFiles' prepend-icon='mdi-upload-lock' :hint='$t(`admin:security.maxUploadBatchHint`)' persistent-hint :suffix='$t(`admin:security.maxUploadBatchSuffix`)' style='max-width: 450px;' ) v-divider.mt-3 v-switch( inset label='Scan and Sanitize SVG Uploads' color='primary' v-model='config.uploadScanSVG' persistent-hint hint='Should SVG uploads be scanned for vulnerabilities and stripped of any potentially unsafe content.' ) v-divider.mt-3 v-switch( inset label='Force Download of Unsafe Extensions' color='primary' v-model='config.uploadForceDownload' persistent-hint hint='Should non-image files be forced as downloads when accessed directly. This prevents potential XSS attacks via unsafe file extensions uploads.' )
v-card.mt-3.animated.fadeInUp.wait-p2s v-toolbar(flat, color='primary', dark, dense) .subtitle-1 {{$t('admin:security.login')}} //- v-card-info(color='blue')
//- span {{$t('admin:security.loginInfo')}}
.overline.grey--text.pa-4 {{$t('admin:security.loginScreen')}} .px-4.pb-3 v-text-field( outlined :label='$t(`admin:security.loginBgUrl`)' v-model='config.authLoginBgUrl' :hint='$t(`admin:security.loginBgUrlHint`)' persistent-hint prepend-icon='mdi-image-area' append-icon='mdi-folder-image' @click:append='browseLoginBg' ) v-switch( inset :label='$t(`admin:security.bypassLogin`)' color='primary' v-model='config.authAutoLogin' prepend-icon='mdi-fast-forward' persistent-hint :hint='$t(`admin:security.bypassLoginHint`)' ) v-switch( inset :label='$t(`admin:security.hideLocalLogin`)' color='primary' v-model='config.authHideLocal' prepend-icon='mdi-eye-off-outline' persistent-hint :hint='$t(`admin:security.hideLocalLoginHint`)' ) v-divider.mt-3 .overline.grey--text.pa-4 {{$t('admin:security.loginSecurity')}} .px-4.pb-3 v-switch.mt-0( inset :label='$t(`admin:security.enforce2fa`)' color='primary' v-model='config.authEnforce2FA' prepend-icon='mdi-two-factor-authentication' :hint='$t(`admin:security.enforce2faHint`)' persistent-hint ) v-divider.mt-3 .overline.grey--text.pa-4 {{$t('admin:security.jwt')}} .px-4.pb-3 v-text-field( v-model='config.authJwtAudience' outlined prepend-icon='mdi-account-group-outline' :label='$t(`admin:auth.jwtAudience`)' :hint='$t(`admin:auth.jwtAudienceHint`)' persistent-hint ) v-text-field.mt-3( v-model='config.authJwtExpiration' outlined prepend-icon='mdi-clock-outline' :label='$t(`admin:auth.tokenExpiration`)' :hint='$t(`admin:auth.tokenExpirationHint`)' persistent-hint ) v-text-field.mt-3( v-model='config.authJwtRenewablePeriod' outlined prepend-icon='mdi-update' :label='$t(`admin:auth.tokenRenewalPeriod`)' :hint='$t(`admin:auth.tokenRenewalPeriodHint`)' persistent-hint )
component(:is='activeModal')</template>
<script>import _ from 'lodash'import { sync } from 'vuex-pathify'import gql from 'graphql-tag'
import editorStore from '../../store/editor'
/* global WIKI */
WIKI.$store.registerModule('editor', editorStore)
export default { i18nOptions: { namespaces: 'editor' }, components: { editorModalMedia: () => import(/* webpackChunkName: "editor", webpackMode: "lazy" */ '../editor/editor-modal-media.vue') }, data() { return { config: { uploadMaxFileSize: 0, uploadMaxFiles: 0, uploadScanSVG: true, uploadForceDownload: true, securityOpenRedirect: true, securityIframe: true, securityReferrerPolicy: true, securityTrustProxy: true, securitySRI: true, securityHSTS: false, securityHSTSDuration: 0, securityCSP: false, securityCSPDirectives: '', authAutoLogin: false, authHideLocal: false, authLoginBgUrl: '', authJwtAudience: 'urn:wiki.js', authJwtExpiration: '30m', authJwtRenewablePeriod: '14d' }, hstsDurations: [ { value: 300, text: '5 minutes' }, { value: 86400, text: '1 day' }, { value: 604800, text: '1 week' }, { value: 2592000, text: '1 month' }, { value: 31536000, text: '1 year' }, { value: 63072000, text: '2 years' } ] } }, computed: { activeModal: sync('editor/activeModal') }, methods: { async save () { try { await this.$apollo.mutate({ mutation: gql`
mutation ( $authAutoLogin: Boolean $authEnforce2FA: Boolean $authHideLocal: Boolean $authLoginBgUrl: String $authJwtAudience: String $authJwtExpiration: String $authJwtRenewablePeriod: String $uploadMaxFileSize: Int $uploadMaxFiles: Int $uploadScanSVG: Boolean $uploadForceDownload: Boolean $securityOpenRedirect: Boolean $securityIframe: Boolean $securityReferrerPolicy: Boolean $securityTrustProxy: Boolean $securitySRI: Boolean $securityHSTS: Boolean $securityHSTSDuration: Int $securityCSP: Boolean $securityCSPDirectives: String ) { site { updateConfig( authAutoLogin: $authAutoLogin, authEnforce2FA: $authEnforce2FA, authHideLocal: $authHideLocal, authLoginBgUrl: $authLoginBgUrl, authJwtAudience: $authJwtAudience, authJwtExpiration: $authJwtExpiration, authJwtRenewablePeriod: $authJwtRenewablePeriod, uploadMaxFileSize: $uploadMaxFileSize, uploadMaxFiles: $uploadMaxFiles, uploadScanSVG: $uploadScanSVG uploadForceDownload: $uploadForceDownload, securityOpenRedirect: $securityOpenRedirect, securityIframe: $securityIframe, securityReferrerPolicy: $securityReferrerPolicy, securityTrustProxy: $securityTrustProxy, securitySRI: $securitySRI, securityHSTS: $securityHSTS, securityHSTSDuration: $securityHSTSDuration, securityCSP: $securityCSP, securityCSPDirectives: $securityCSPDirectives ) { responseResult { succeeded errorCode slug message } } } } `,
variables: { authAutoLogin: _.get(this.config, 'authAutoLogin', false), authEnforce2FA: _.get(this.config, 'authEnforce2FA', false), authHideLocal: _.get(this.config, 'authHideLocal', false), authLoginBgUrl: _.get(this.config, 'authLoginBgUrl', ''), authJwtAudience: _.get(this.config, 'authJwtAudience', ''), authJwtExpiration: _.get(this.config, 'authJwtExpiration', ''), authJwtRenewablePeriod: _.get(this.config, 'authJwtRenewablePeriod', ''), uploadMaxFileSize: _.toSafeInteger(_.get(this.config, 'uploadMaxFileSize', 0)), uploadMaxFiles: _.toSafeInteger(_.get(this.config, 'uploadMaxFiles', 0)), uploadScanSVG: _.get(this.config, 'uploadScanSVG', false), uploadForceDownload: _.get(this.config, 'uploadForceDownload', false), securityOpenRedirect: _.get(this.config, 'securityOpenRedirect', false), securityIframe: _.get(this.config, 'securityIframe', false), securityReferrerPolicy: _.get(this.config, 'securityReferrerPolicy', false), securityTrustProxy: _.get(this.config, 'securityTrustProxy', false), securitySRI: _.get(this.config, 'securitySRI', false), securityHSTS: _.get(this.config, 'securityHSTS', false), securityHSTSDuration: _.get(this.config, 'securityHSTSDuration', 0), securityCSP: _.get(this.config, 'securityCSP', false), securityCSPDirectives: _.get(this.config, 'securityCSPDirectives', '') }, watchLoading (isLoading) { this.$store.commit(`loading${isLoading ? 'Start' : 'Stop'}`, 'admin-site-update') } }) this.$store.commit('showNotification', { style: 'success', message: 'Configuration saved successfully.', icon: 'check' }) } catch (err) { this.$store.commit('pushGraphError', err) } }, browseLoginBg () { this.$store.set('editor/editorKey', 'common') this.activeModal = 'editorModalMedia' } }, mounted () { this.$root.$on('editorInsert', opts => { this.config.authLoginBgUrl = opts.path }) }, beforeDestroy() { this.$root.$off('editorInsert') }, apollo: { config: { query: gql`
{ site { config { authAutoLogin authEnforce2FA authHideLocal authLoginBgUrl authJwtAudience authJwtExpiration authJwtRenewablePeriod uploadMaxFileSize uploadMaxFiles uploadScanSVG uploadForceDownload securityOpenRedirect securityIframe securityReferrerPolicy securityTrustProxy securitySRI securityHSTS securityHSTSDuration securityCSP securityCSPDirectives } } } `,
fetchPolicy: 'network-only', update: (data) => _.cloneDeep(data.site.config), watchLoading (isLoading) { this.$store.commit(`loading${isLoading ? 'Start' : 'Stop'}`, 'admin-security-refresh') } } }}</script>
<style lang='scss'>
</style>
|
