Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[secaudit-blocking] Missing security headers #333

Closed
5 tasks
puiterwijk opened this issue Aug 12, 2020 · 1 comment · Fixed by #502
Closed
5 tasks

[secaudit-blocking] Missing security headers #333

puiterwijk opened this issue Aug 12, 2020 · 1 comment · Fixed by #502
Assignees
@abompard
Labels
security Security issue

Comments

@puiterwijk
Copy link

puiterwijk commented Aug 12, 2020
edited
Loading

Part of secaudit #316, blocking.

There are multiple security headers missing that are required per the Fedora Infrastructure Application Security Policy.

After logging in, the profile page is missing:

  • X-Frame-Options: missing, MUST
  • X-Xss-Protection: missing, MUST
  • X-Content-Type-Options: missing, MUST
  • Referrer-Policy: missing, MUST
  • Content-Security-Policy, missing MUST
@puiterwijk puiterwijk added the security Security issue label Aug 12, 2020
This was referenced Feb 1, 2021
Closed
Closed
@abompard abompard self-assigned this Feb 10, 2021
@abompard
Copy link
Member

I'm working through this, setting the CSP header is causing some breakage that I'm trying to fix. I'm currently trying to find a workaround for this bug: twbs/bootstrap#25394. The story is that Bootstrap use data:image/svg+xml in their CSS to draw arrows and such in forms, and allowing data: sources in the CSP is insecure (look for data:).
Not sure how practical it would be to extract all those images from the CSS and store them as files in the static dir. It seems like it'll be a maintenance burden, too.

abompard added a commit to abompard/noggin that referenced this issue Feb 17, 2021
@abompard
Set the security headers
f6e2afa 
Fixes fedora-infra#333

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
@abompard abompard mentioned this issue Feb 17, 2021
Merged
abompard added a commit to abompard/noggin that referenced this issue Feb 17, 2021
@abompard
Set the security headers
ffacd6a 
Fixes fedora-infra#333

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
@abompard abompard linked a pull request Feb 17, 2021 that will close this issue
Set the security headers #502
Merged
abompard added a commit to abompard/noggin that referenced this issue Feb 18, 2021
@abompard
Set the security headers
a5de5c4 
Fixes fedora-infra#333

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
abompard added a commit to abompard/noggin that referenced this issue Feb 24, 2021
@abompard
Set the security headers
220e25b 
Fixes fedora-infra#333

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
abompard added a commit to abompard/noggin that referenced this issue Feb 25, 2021
@abompard
Set the security headers
bae5cb1 
Fixes fedora-infra#333

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
abompard added a commit that referenced this issue Feb 25, 2021
@abompard
Set the security headers
fc86be1 
Fixes #333

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
@ryanlerch ryanlerch added this to AAA Jul 19, 2024
@ryanlerch ryanlerch moved this to Done within Sprint in AAA Jul 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@abompard abompard

Labels
security Security issue
Projects
No open projects
AAA
Status: Done within Sprint
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Set the security headers abompard/noggin
2 participants
@abompard @puiterwijk