Dashboard security improvements and fixes

Author: RTL

Light-Dashboard/README.md

@@ -71,6 +71,15 @@ Here's how the authentication works: if no users are found in the database, auth
 
 The Users.html page provides a simple interface for managing the user database, allowing the addition and removal of users. For simplicity, the authentication code focuses purely on user authentication, without any authorization mechanisms.
 
+## Security Policies
+
+The following default security policies are set to enhance security by controlling content sources and protecting against MIME-type sniffing:
+
+- Content-Security-Policy: Limits resources (scripts, styles) to load only from trusted sources. By default, it restricts all resources to 'self', with an exception for scripts and styles from cdn.jsdelivr.net. You may need to adjust this policy to include additional trusted domains based on your application's requirements.
+- X-Content-Type-Options: Set to "nosniff" to prevent browsers from interpreting files as a different MIME type than declared. This helps prevent certain attacks that rely on MIME-type misinterpretation.
+
+**Note:** These policies are examples and may require customization to meet the specific needs of your deployment environment and any third-party services you integrate. See www/.lua/cms.lua and 'securityPolicies' for details.
+
 
 ## Notes:
 

Light-Dashboard/www/.lua/cms.lua

@@ -1,4 +1,3 @@
-
 -- Mini Content Management System (CMS) designed for the Pure.css dashboard.
 
 -- All LSP applications have a predefined 'dir' object, which is a resrdr instance.
@@ -19,6 +18,13 @@ local rw=require"rwfile"
 -- Closure def: https://en.wikipedia.org/wiki/Closure_(computer_programming)
 local app,io,dir=app,app.io,app.dir
 
+-- Set on 'dir' and used by function cmsfunc()
+local securityPolicies={
+   ["Content-Security-Policy"]= "default-src 'self'; script-src 'self' cdn.jsdelivr.net; style-src 'self' cdn.jsdelivr.net",
+   ["X-Content-Type-Options"]="nosniff",
+}
+-- Doc: https://realtimelogic.com/ba/doc/en/lua/lua.html#rsrdr_header
+dir:header(securityPolicies)
 
 -- Takes the data content of an LSP page (HTML with LSP tags) as
 -- argument, converts the LSP page to Lua code, and compiles the Lua
@@ -69,6 +75,7 @@ local pagesT={}
 -- See the following for details on the request/response environment:
 -- https://realtimelogic.com/ba/doc/en/lua/lua.html#CMDE
 local function cmsfunc(_ENV, relpath, notInMenuOK)
+   local response=response -- e.g. = _ENV.response. Now faster.
 
    -- Translate to (path/)index.html if only directory name is provided.
    if #relpath == 0 or relpath:find"/$" then
@@ -96,6 +103,8 @@ local function cmsfunc(_ENV, relpath, notInMenuOK)
    --Remove the following line and xrsp:finalize() if you do not want to
    --compress the response.
    local xrsp = response:setresponse() -- Activate compression
+   response:setdefaultheaders()
+   for k,v in pairs(securityPolicies) do response:setheader(k,v) end
 
    -- Make the following available to template.lsp
    -- Note, we explicitly use the _ENV tab for code readability.

Light-Dashboard/www/.lua/www/WebSockets.html

@@ -1,61 +1,12 @@
-<?lsp
-
-if require"smq.hub".isSMQ(request) then
-   -- Upgrade HTTP(S) request to SMQ connection
-   -- See code in the .preload script (the app).
-   app.connectClientSlider(request)
-   response:abort() -- stop executing page
-end
-?>
-
 <!--
 Slider documentation: https://roundsliderui.com/
 -->
 <link href="https://cdn.jsdelivr.net/npm/[email protected]/dist/roundslider.min.css" rel="stylesheet" />
+<link href="/static/WebSockets.css" rel="stylesheet" />
 <script src="/rtl/jquery.js"></script>
 <script src="/rtl/smq.js"></script>
 <script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/roundslider.min.js"></script>
-<style>
-#SliderContainer {
-    position:relative;
-    height: 200px;
-}
-#Slider {
-    width: 260px;
-    height: 130px;
-    padding: 20px;
-    position: absolute;
-    top: 50%;
-    left: 50%;
-    margin: -85px 0 0 -130px;
-}
-#Slider .rs-handle  {
-    background-color: transparent;
-    border: 8px solid transparent;
-    border-right-color: black;
-    margin: -8px 0 0 14px !important;
-}
-#Slider .rs-handle:before  {
-    display: block;
-    content: " ";
-    position: absolute;
-    height: 12px;
-    width: 12px;
-    background: black;
-    right: -6px;
-    bottom: -6px;
-    border-radius: 100%;
-}
-#Slider .rs-handle:after  {
-    display: block;
-    content: " ";
-    width: 106px;
-    position: absolute;
-    top: -1px;
-    right: 0px;
-    border-top: 2px solid black;
-}
-</style>
+<script src="/static/WebSockets.js"></script>
 
 <div class="header">
   <h1>WebSockets</h1>
@@ -74,42 +25,3 @@ <h2>Real Time Slider Via WebSockets (SMQ)</h2>
 
   <p>See our <a target="_blank" href="https://tutorial.realtimelogic.com/WebSockets.lsp">online tutorial : WebSockets</a> for a WebSockets introduction.</p>
 </div>
-
-<script>
-$(function() {
-    var smq = SMQ.Client(); // No args: connect back to 'origin' i.e. the same page.
-    let active=true;
-
-    //SMQ callback for data sent to the topic "slider" and "self"
-    function onSmqMsg(d,ptid) {
-        if(ptid != smq.gettid()) { //Ignore messages from 'self'
-            active=true;
-            $("#Slider").roundSlider("option", "value", Math.floor(d.angle * 100 / 180));
-            active=false;
-        }
-    }
-    
-    smq.subscribe("self",{datatype:"json",onmsg:onSmqMsg});
-    smq.subscribe("slider",{datatype:"json",onmsg:onSmqMsg});
-
-    function onChange (e) {
-        if(!active)
-            smq.pubjson({angle:Math.floor(e.value * 180 / 100)}, "slider");
-    }
-
-    $("#Slider").roundSlider({
-        animation:false,
-        sliderType: "min-range",
-        radius: 130,
-        showTooltip: false,
-        width: 16,
-        value: 0,
-        handleSize: 0,
-        handleShape: "square",
-        circleShape: "half-top",
-        change: onChange,
-        tooltipFormat: onChange
-    });
-    active=false;
-});
-</script>

Light-Dashboard/www/SMQ/index.lsp

@@ -0,0 +1,14 @@
+<?lsp
+
+-- JS code in the WebSockets.html page (in WebSockets.js) connects to
+-- this page to set up an SMQ WebSocket Connection.
+
+-- Doc: https://realtimelogic.com/ba/doc/en/SMQ.html
+if require"smq.hub".isSMQ(request) then
+   -- Upgrade HTTP(S) request to SMQ connection
+   -- See code in the .preload script (the app).
+   app.connectClientSlider(request) -- Function in the .preload script
+   response:abort() -- stop executing page
+end
+
+?>

Light-Dashboard/www/static/WebSockets.css

@@ -0,0 +1,39 @@
+#SliderContainer {
+    position:relative;
+    height: 200px;
+}
+#Slider {
+    width: 260px;
+    height: 130px;
+    padding: 20px;
+    position: absolute;
+    top: 50%;
+    left: 50%;
+    margin: -85px 0 0 -130px;
+}
+#Slider .rs-handle  {
+    background-color: transparent;
+    border: 8px solid transparent;
+    border-right-color: black;
+    margin: -8px 0 0 14px !important;
+}
+#Slider .rs-handle:before  {
+    display: block;
+    content: " ";
+    position: absolute;
+    height: 12px;
+    width: 12px;
+    background: black;
+    right: -6px;
+    bottom: -6px;
+    border-radius: 100%;
+}
+#Slider .rs-handle:after  {
+    display: block;
+    content: " ";
+    width: 106px;
+    position: absolute;
+    top: -1px;
+    right: 0px;
+    border-top: 2px solid black;
+}

Light-Dashboard/www/static/WebSockets.js

@@ -0,0 +1,38 @@
+$(function() {
+    //SMQ Doc: https://realtimelogic.com/ba/doc/en/JavaScript/SMQ.html 
+    var smq = SMQ.Client("/SMQ/"); // Connect to /SMQ/index.lsp
+    let active=true;
+
+    //SMQ callback for data sent to the topic "slider" and "self"
+    function onSmqMsg(d,ptid) {
+        if(ptid != smq.gettid()) { //Ignore messages from 'self'
+            active=true;
+            $("#Slider").roundSlider("option", "value", Math.floor(d.angle * 100 / 180));
+            active=false;
+        }
+    }
+    
+    smq.subscribe("self",{datatype:"json",onmsg:onSmqMsg});
+    smq.subscribe("slider",{datatype:"json",onmsg:onSmqMsg});
+
+    function onChange (e) {
+        if(!active)
+            smq.pubjson({angle:Math.floor(e.value * 180 / 100)}, "slider");
+    }
+
+    $("#Slider").roundSlider({
+        animation:false,
+        sliderType: "min-range",
+        radius: 130,
+        showTooltip: false,
+        width: 16,
+        value: 0,
+        handleSize: 0,
+        handleShape: "square",
+        circleShape: "half-top",
+        change: onChange,
+        tooltipFormat: onChange
+    });
+    active=false;
+});
+