From 1a18f610b2ac9534cb96c48820dd31612e001d50 Mon Sep 17 00:00:00 2001 From: ShahanaFarooqui Date: Tue, 12 Sep 2023 21:53:30 -0700 Subject: [PATCH] docs: Update documents with `rest-csp` option Changelog-Added: New configurable Content-Security-Policy (CSP) header for clnrest --- doc/developers-guide/app-development/rest.md | 5 ++++- doc/lightningd-config.5.md | 3 +++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/doc/developers-guide/app-development/rest.md b/doc/developers-guide/app-development/rest.md index 624e9fd0a..27be01c7e 100644 --- a/doc/developers-guide/app-development/rest.md +++ b/doc/developers-guide/app-development/rest.md @@ -45,7 +45,10 @@ If `rest-port` is not specified, the plugin will disable itself. - --rest-port: Sets the REST server port to listen to (3010 is common) - --rest-protocol: Specifies the REST server protocol. Default is HTTPS. - --rest-host: Defines the REST server host. Default is 127.0.0.1. -- --rest-certs: Defines the path for HTTPS cert & key. Default path is same as RPC file path to utilize gRPC's client certificate. If it is missing at the configured location, new identity (`client.pem` and `client-key.pem`) will be generated. +- --rest-certs: Defines the path for HTTPS cert & key. Default path is same as RPC file path to utilize gRPC's client certificate. If it is missing at the configured location, new identity will be generated. +- --rest-csp: Creates a whitelist of trusted content sources that can run on a webpage and helps mitigate the risk of attacks. +Default CSP is set as `default-src 'self'; font-src 'self'; img-src 'self' data:; frame-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline';`. +Example CSP: `rest-csp=default-src 'self'; font-src 'self'; img-src 'self'; frame-src 'self'; style-src 'self'; script-src 'self';`. - --rest-cors-origins: Define multiple origins which are allowed to share resources on web pages to a domain different from the one that served the web page. Default is `*` which allows all origins. Example to define multiple origins: ``` diff --git a/doc/lightningd-config.5.md b/doc/lightningd-config.5.md index 19f8f3aac..17689262f 100644 --- a/doc/lightningd-config.5.md +++ b/doc/lightningd-config.5.md @@ -642,6 +642,9 @@ authenticate to the Tor control port. Define multiple origins which are allowed to share resources on web pages to a domain different from the one that served the web page. Default is `*` which allows all origins. +* **rest-csp**=*CSPOLICY* [plugin `clnrest.py`] + + Creates a whitelist of trusted content sources that can run on a webpage and helps mitigate the risk of attacks. Default CSP is `default-src 'self'; font-src 'self'; img-src 'self' data:; frame-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline';`. ### Lightning Plugins