diff --git a/data/templates/ocserv/ocserv_config.j2 b/data/templates/ocserv/ocserv_config.j2
index 80ba357bc..713ca7fd4 100644
--- a/data/templates/ocserv/ocserv_config.j2
+++ b/data/templates/ocserv/ocserv_config.j2
@@ -1,138 +1,139 @@
### generated by vpn_openconnect.py ###
{% if listen_address is vyos_defined %}
listen-host = {{ listen_address }}
{% endif %}
tcp-port = {{ listen_ports.tcp }}
udp-port = {{ listen_ports.udp }}
run-as-user = nobody
run-as-group = daemon
{% if accounting.mode.radius is vyos_defined %}
acct = "radius [config=/run/ocserv/radiusclient.conf]"
{% endif %}
{% if "radius" in authentication.mode %}
auth = "radius [config=/run/ocserv/radiusclient.conf{{ ',groupconfig=true' if authentication.radius.groupconfig is vyos_defined else '' }}]"
{% if authentication.identity_based_config.disabled is not vyos_defined %}
{% if "group" in authentication.identity_based_config.mode %}
config-per-group = {{ authentication.identity_based_config.directory }}
default-group-config = {{ authentication.identity_based_config.default_config }}
{% endif %}
{% endif %}
{% elif "local" in authentication.mode %}
{% if authentication.mode.local == "password-otp" %}
auth = "plain[passwd=/run/ocserv/ocpasswd,otp=/run/ocserv/users.oath]"
{% elif authentication.mode.local == "otp" %}
auth = "plain[otp=/run/ocserv/users.oath]"
{% else %}
auth = "plain[/run/ocserv/ocpasswd]"
{% endif %}
{% else %}
auth = "plain[/run/ocserv/ocpasswd]"
{% endif %}
{% if "identity_based_config" in authentication %}
{% if "user" in authentication.identity_based_config.mode %}
config-per-user = {{ authentication.identity_based_config.directory }}
default-user-config = {{ authentication.identity_based_config.default_config }}
{% endif %}
{% endif %}
{% if ssl.certificate is vyos_defined %}
server-cert = /run/ocserv/cert.pem
server-key = /run/ocserv/cert.key
{% if ssl.passphrase is vyos_defined %}
key-pin = {{ ssl.passphrase }}
{% endif %}
{% endif %}
{% if ssl.ca_certificate is vyos_defined %}
ca-cert = /run/ocserv/ca.pem
{% endif %}
socket-file = /run/ocserv/ocserv.socket
occtl-socket-file = /run/ocserv/occtl.socket
use-occtl = true
isolate-workers = true
keepalive = 300
dpd = 60
mobile-dpd = 300
switch-to-tcp-timeout = 30
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"
auth-timeout = 240
idle-timeout = 1200
mobile-idle-timeout = 1800
min-reauth-time = 3
cookie-timeout = 300
rekey-method = ssl
try-mtu-discovery = true
cisco-client-compat = true
dtls-legacy = true
max-ban-score = 80
ban-reset-time = 300
# The name to use for the tun device
device = sslvpn
# DNS settings
{% if network_settings.name_server is vyos_defined %}
{% for dns in network_settings.name_server %}
dns = {{ dns }}
{% endfor %}
{% endif %}
{% if network_settings.tunnel_all_dns is vyos_defined %}
{% if "yes" in network_settings.tunnel_all_dns %}
tunnel-all-dns = true
{% else %}
tunnel-all-dns = false
{% endif %}
{% endif %}
# IPv4 network pool
{% if network_settings.client_ip_settings.subnet is vyos_defined %}
ipv4-network = {{ network_settings.client_ip_settings.subnet }}
{% endif %}
# IPv6 network pool
{% if network_settings.client_ipv6_pool.prefix is vyos_defined %}
ipv6-network = {{ network_settings.client_ipv6_pool.prefix }}
ipv6-subnet-prefix = {{ network_settings.client_ipv6_pool.mask }}
{% endif %}
{% if network_settings.push_route is vyos_defined %}
{% for route in network_settings.push_route %}
route = {{ route }}
{% endfor %}
{% endif %}
{% if network_settings.split_dns is vyos_defined %}
{% for tmp in network_settings.split_dns %}
split-dns = {{ tmp }}
{% endfor %}
{% endif %}
{% if authentication.group is vyos_defined %}
# Group settings
{% for grp in authentication.group %}
select-group = {{ grp }}
{% endfor %}
{% endif %}
-
+{% if http_security_headers is vyos_defined %}
# HTTP security headers
included-http-headers = Strict-Transport-Security: max-age=31536000 ; includeSubDomains
included-http-headers = X-Frame-Options: deny
included-http-headers = X-Content-Type-Options: nosniff
-included-http-headers = Content-Security-Policy: default-src ´none´
+included-http-headers = Content-Security-Policy: default-src 'none'
included-http-headers = X-Permitted-Cross-Domain-Policies: none
included-http-headers = Referrer-Policy: no-referrer
included-http-headers = Clear-Site-Data: "cache","cookies","storage"
included-http-headers = Cross-Origin-Embedder-Policy: require-corp
included-http-headers = Cross-Origin-Opener-Policy: same-origin
included-http-headers = Cross-Origin-Resource-Policy: same-origin
included-http-headers = X-XSS-Protection: 0
included-http-headers = Pragma: no-cache
included-http-headers = Cache-control: no-store, no-cache
+{% endif %}
diff --git a/interface-definitions/vpn-openconnect.xml.in b/interface-definitions/vpn-openconnect.xml.in
index 75c64a99a..736084f8b 100644
--- a/interface-definitions/vpn-openconnect.xml.in
+++ b/interface-definitions/vpn-openconnect.xml.in
@@ -1,386 +1,392 @@
<?xml version="1.0"?>
<interfaceDefinition>
<node name="vpn">
<children>
<node name="openconnect" owner="${vyos_conf_scripts_dir}/vpn_openconnect.py">
<properties>
<help>SSL VPN OpenConnect, AnyConnect compatible server</help>
<priority>901</priority>
</properties>
<children>
<node name="accounting">
<properties>
<help>Accounting for users OpenConnect VPN Sessions</help>
</properties>
<children>
<node name="mode">
<properties>
<help>Accounting mode used by this server</help>
</properties>
<children>
<leafNode name="radius">
<properties>
<help>Use RADIUS server for accounting</help>
<valueless/>
</properties>
</leafNode>
</children>
</node>
#include <include/radius-acct-server-ipv4.xml.i>
</children>
</node>
<node name="authentication">
<properties>
<help>Authentication for remote access SSL VPN Server</help>
</properties>
<children>
<node name="mode">
<properties>
<help>Authentication mode used by this server</help>
</properties>
<children>
<leafNode name="local">
<properties>
<help>Use local username/password configuration (OTP supported)</help>
<valueHelp>
<format>password</format>
<description>Password-only local authentication</description>
</valueHelp>
<valueHelp>
<format>otp</format>
<description>OTP-only local authentication</description>
</valueHelp>
<valueHelp>
<format>password-otp</format>
<description>Password (first) + OTP local authentication</description>
</valueHelp>
<constraint>
<regex>(password|otp|password-otp)</regex>
</constraint>
<constraintErrorMessage>Invalid authentication mode. Must be one of: password, otp or password-otp </constraintErrorMessage>
<completionHelp>
<list>otp password password-otp</list>
</completionHelp>
</properties>
</leafNode>
<leafNode name="radius">
<properties>
<help>Use RADIUS server for user autentication</help>
<valueless/>
</properties>
</leafNode>
</children>
</node>
<node name="identity-based-config">
<properties>
<help>Include configuration file by username or RADIUS group attribute</help>
</properties>
<children>
#include <include/generic-disable-node.xml.i>
<leafNode name="mode">
<properties>
<help>Select per user or per group configuration file - ignored if authentication group is configured</help>
<completionHelp>
<list>user group</list>
</completionHelp>
<valueHelp>
<format>user</format>
<description>Match configuration file on username</description>
</valueHelp>
<valueHelp>
<format>group</format>
<description>Match RADIUS response class attribute as file name</description>
</valueHelp>
<constraint>
<regex>(user|group)</regex>
</constraint>
<constraintErrorMessage>Invalid mode, must be either user or group</constraintErrorMessage>
</properties>
</leafNode>
<leafNode name="directory">
<properties>
<help>Directory to containing configuration files</help>
<valueHelp>
<format>path</format>
<description>Path to configuration directory, must be under /config/auth</description>
</valueHelp>
<constraint>
<validator name="file-path" argument="--directory --parent-dir /config/auth --strict"/>
</constraint>
</properties>
</leafNode>
<leafNode name="default-config">
<properties>
<help>Default configuration if discrete config could not be found</help>
<valueHelp>
<format>filename</format>
<description>Default configuration filename, must be under /config/auth</description>
</valueHelp>
<constraint>
<validator name="file-path" argument="--file --parent-dir /config/auth --strict"/>
</constraint>
</properties>
</leafNode>
</children>
</node>
<leafNode name="group">
<properties>
<help>Group that a client is allowed to select (from a list). Maps to RADIUS Class attribute.</help>
<valueHelp>
<format>txt</format>
<description>Group string. The group may be followed by a user-friendly name in brackets: group1[First Group]</description>
</valueHelp>
<multi/>
</properties>
</leafNode>
#include <include/auth-local-users.xml.i>
<node name="local-users">
<children>
<tagNode name="username">
<children>
<node name="otp">
<properties>
<help>2FA OTP authentication parameters</help>
</properties>
<children>
<leafNode name="key">
<properties>
<help>Token Key Secret key for the token algorithm (see RFC 4226)</help>
<valueHelp>
<format>txt</format>
<description>OTP key in hex-encoded format</description>
</valueHelp>
<constraint>
<regex>[a-fA-F0-9]{20,10000}</regex>
</constraint>
<constraintErrorMessage>Key name must only include hex characters and be at least 20 characters long</constraintErrorMessage>
</properties>
</leafNode>
<leafNode name="otp-length">
<properties>
<help>Number of digits in OTP code</help>
<valueHelp>
<format>u32:6-8</format>
<description>Number of digits in OTP code</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 6-8"/>
</constraint>
<constraintErrorMessage>Number of digits in OTP code must be between 6 and 8</constraintErrorMessage>
</properties>
<defaultValue>6</defaultValue>
</leafNode>
<leafNode name="interval">
<properties>
<help>Time tokens interval in seconds</help>
<valueHelp>
<format>u32:5-86400</format>
<description>Time tokens interval in seconds.</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 5-86400"/>
</constraint>
<constraintErrorMessage>Time token interval must be between 5 and 86400 seconds</constraintErrorMessage>
</properties>
<defaultValue>30</defaultValue>
</leafNode>
<leafNode name="token-type">
<properties>
<help>Token type</help>
<valueHelp>
<format>hotp-time</format>
<description>Time-based OTP algorithm</description>
</valueHelp>
<valueHelp>
<format>hotp-event</format>
<description>Event-based OTP algorithm</description>
</valueHelp>
<constraint>
<regex>(hotp-time|hotp-event)</regex>
</constraint>
<completionHelp>
<list>hotp-time hotp-event</list>
</completionHelp>
</properties>
<defaultValue>hotp-time</defaultValue>
</leafNode>
</children>
</node>
</children>
</tagNode>
</children>
</node>
#include <include/radius-auth-server-ipv4.xml.i>
<node name="radius">
<children>
#include <include/radius-timeout.xml.i>
<leafNode name="groupconfig">
<properties>
<help>If the groupconfig option is set, then config-per-user will be overriden, and all configuration will be read from RADIUS.</help>
</properties>
</leafNode>
</children>
</node>
</children>
</node>
#include <include/listen-address-ipv4-single.xml.i>
<leafNode name="listen-address">
<defaultValue>0.0.0.0</defaultValue>
</leafNode>
<node name="listen-ports">
<properties>
<help>Specify custom ports to use for client connections</help>
</properties>
<children>
<leafNode name="tcp">
<properties>
<help>tcp port number to accept connections</help>
<valueHelp>
<format>u32:1-65535</format>
<description>Numeric IP port</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-65535"/>
</constraint>
</properties>
<defaultValue>443</defaultValue>
</leafNode>
<leafNode name="udp">
<properties>
<help>udp port number to accept connections</help>
<valueHelp>
<format>u32:1-65535</format>
<description>Numeric IP port</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-65535"/>
</constraint>
</properties>
<defaultValue>443</defaultValue>
</leafNode>
</children>
</node>
+ <leafNode name="http-security-headers">
+ <properties>
+ <help>Enable HTTP security headers</help>
+ <valueless/>
+ </properties>
+ </leafNode>
<node name="ssl">
<properties>
<help>SSL Certificate, SSL Key and CA</help>
</properties>
<children>
#include <include/pki/ca-certificate.xml.i>
#include <include/pki/certificate-key.xml.i>
</children>
</node>
<node name="network-settings">
<properties>
<help>Network settings</help>
</properties>
<children>
<leafNode name="push-route">
<properties>
<help>Route to be pushed to the client</help>
<valueHelp>
<format>ipv4net</format>
<description>IPv4 network and prefix length</description>
</valueHelp>
<valueHelp>
<format>ipv6net</format>
<description>IPv6 network and prefix length</description>
</valueHelp>
<constraint>
<validator name="ip-prefix"/>
</constraint>
<multi/>
</properties>
</leafNode>
<node name="client-ip-settings">
<properties>
<help>Client IP pools settings</help>
</properties>
<children>
<leafNode name="subnet">
<properties>
<help>Client IP subnet (CIDR notation)</help>
<valueHelp>
<format>ipv4net</format>
<description>IPv4 address and prefix length</description>
</valueHelp>
<constraint>
<validator name="ipv4-prefix"/>
</constraint>
<constraintErrorMessage>Not a valid CIDR formatted prefix</constraintErrorMessage>
</properties>
</leafNode>
</children>
</node>
<node name="client-ipv6-pool">
<properties>
<help>Pool of client IPv6 addresses</help>
</properties>
<children>
<leafNode name="prefix">
<properties>
<help>Pool of addresses used to assign to clients</help>
<valueHelp>
<format>ipv6net</format>
<description>IPv6 address and prefix length</description>
</valueHelp>
<constraint>
<validator name="ipv6-prefix"/>
</constraint>
</properties>
</leafNode>
<leafNode name="mask">
<properties>
<help>Prefix length used for individual client</help>
<valueHelp>
<format>u32:48-128</format>
<description>Client prefix length</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 48-128"/>
</constraint>
</properties>
<defaultValue>64</defaultValue>
</leafNode>
</children>
</node>
#include <include/name-server-ipv4-ipv6.xml.i>
<leafNode name="split-dns">
<properties>
<help>Domains over which the provided DNS should be used</help>
<valueHelp>
<format>txt</format>
<description>Client prefix length</description>
</valueHelp>
<constraint>
<validator name="fqdn"/>
</constraint>
<multi/>
</properties>
</leafNode>
<leafNode name="tunnel-all-dns">
<properties>
<help>If the tunnel-all-dns option is set to yes, tunnel all DNS queries via the VPN. This is the default when a default route is set.</help>
<completionHelp>
<list>yes no</list>
</completionHelp>
<valueHelp>
<format>yes</format>
<description>Enable tunneling of all DNS traffic</description>
</valueHelp>
<valueHelp>
<format>no</format>
<description>Disable tunneling of all DNS traffic</description>
</valueHelp>
<constraint>
<regex>(yes|no)</regex>
</constraint>
</properties>
<defaultValue>no</defaultValue>
</leafNode>
</children>
</node>
</children>
</node>
</children>
</node>
</interfaceDefinition>