-
Notifications
You must be signed in to change notification settings - Fork 3.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix duplicate security headers #8726
Conversation
WalkthroughThis update addresses security concerns by refining the management of security headers in HTTP responses from the backend. The Nginx configuration has been modified to dynamically assign security headers based on upstream headers, preventing redundancy. Additionally, new settings in the application configuration enhance security and file upload handling, including the introduction of a Changes
Poem
Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
Our NGINX configuration adds some headers to all responses, but Django already outputs these headers via `SecurityMiddleware` and `XFrameOptionsMiddleware`. So we end up with duplicate headers in the response, which has undefined semantics (and is just plain confusing). I don't want to remove these headers from the Django configuration (because I want them to still be output when run via the development server) _or_ from the NGINX configuration (because they should still be added when serving static files). So instead, keep them in both places, but let NGINX add each header only if the upstream server has not already added one. Also, update the referrer policy in Django to match the one we're using elsewhere.
fa19949
to
5770c91
Compare
Quality Gate passedIssues Measures |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 0
🧹 Outside diff range and nitpick comments (1)
cvat/nginx.conf (1)
44-56
: LGTM! The map blocks correctly implement conditional security headers.The implementation effectively solves the duplicate headers issue while maintaining security by:
- Only adding headers when not provided by Django
- Using secure default values that align with best practices
Consider aligning the empty string conditions for consistency:
map $upstream_http_referrer_policy $hdr_referrer_policy { - '' "strict-origin-when-cross-origin"; + "" "strict-origin-when-cross-origin"; } map $upstream_http_x_content_type_options $hdr_x_content_type_options { - '' "nosniff"; + "" "nosniff"; } map $upstream_http_x_frame_options $hdr_x_frame_options { - '' "deny"; + "" "deny"; }
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
📒 Files selected for processing (3)
changelog.d/20241120_172837_roman.md
(1 hunks)cvat/nginx.conf
(1 hunks)cvat/settings/base.py
(1 hunks)
✅ Files skipped from review due to trivial changes (1)
- changelog.d/20241120_172837_roman.md
🔇 Additional comments (4)
cvat/nginx.conf (2)
62-64
: Verify security header consistency across location blocks.
The server-level security headers look good, but we should verify that no location blocks override these headers, which could lead to inconsistent security policies.
44-64
: Document the interaction with Django middleware.
Since these changes affect Django's SecurityMiddleware and XFrameOptionsMiddleware, please ensure the documentation is updated to:
- Explain which Django middleware classes can be disabled
- Document the header handling split between Nginx and Django
cvat/settings/base.py (2)
577-578
: LGTM! Good security practice for referrer policy.
The 'strict-origin-when-cross-origin' setting is a secure choice that provides a good balance between functionality and security by:
- Sending full referrer information to same-origin requests
- Only sending the origin for cross-origin requests
- Preventing referrer leakage when downgrading from HTTPS to HTTP
577-578
: Verify complete security header configuration
Since this PR addresses duplicate security headers between NGINX and Django, we should verify that all security headers are properly configured across both NGINX and Django settings.
✅ Verification successful
Security headers are properly configured across NGINX and Django
The verification shows a well-configured security setup:
-
Django has the essential SecurityMiddleware and secure headers:
- SECURE_PROXY_SSL_HEADER for SSL/TLS
- SECURE_REFERRER_POLICY matching NGINX's configuration
-
NGINX implements comprehensive security headers:
- Referrer-Policy (matching Django's strict-origin-when-cross-origin)
- X-Content-Type-Options (nosniff)
- X-Frame-Options (deny)
- Cross-Origin-Opener-Policy (same-origin)
- Cross-Origin-Embedder-Policy (credentialless/require-corp)
- Cache control headers
The security headers are properly distributed between Django and NGINX without problematic duplications.
🏁 Scripts executed
The following scripts were executed for the analysis:
Script:
#!/bin/bash
# Description: Check for security header configurations in both Django and NGINX
# Check Django security middleware and settings
echo "Checking Django security settings..."
rg -A 5 "SecurityMiddleware"
rg "SECURE_"
# Check NGINX security header configuration
echo "Checking NGINX security header configuration..."
fd -e conf -e "*.conf.template" | xargs rg "add_header"
Length of output: 1942
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## develop #8726 +/- ##
========================================
Coverage 74.18% 74.18%
========================================
Files 401 401
Lines 43510 43510
Branches 3950 3950
========================================
+ Hits 32278 32279 +1
+ Misses 11232 11231 -1
|
Motivation and context
Our NGINX configuration adds some headers to all responses, but Django already outputs these headers via
SecurityMiddleware
andXFrameOptionsMiddleware
. So we end up with duplicate headers in the response, which has undefined semantics (and is just plain confusing).I don't want to remove these headers from the Django configuration (because I want them to still be output when run via the development server) or from the NGINX configuration (because they should still be added when serving static files). So instead, keep them in both places, but let NGINX add each header only if the upstream server has not already added one.
Also, update the referrer policy in Django to match the one we're using elsewhere.
How has this been tested?
Manual testing.
Checklist
develop
branch[ ] I have updated the documentation accordingly[ ] I have added tests to cover my changes[ ] I have linked related issues (see GitHub docs)[ ] I have increased versions of npm packages if it is necessary(cvat-canvas,
cvat-core,
cvat-data and
cvat-ui)
License
Feel free to contact the maintainers if that's a concern.
Summary by CodeRabbit
New Features
Bug Fixes
Chores