Closed Bug 1302164 Opened 8 years ago Closed 7 years ago

balrog should get an A from mozilla observatory

Categories

(Release Engineering Graveyard :: Applications: Balrog (backend), defect, P3)

Product:
Release Engineering Graveyard
Component:
Applications: Balrog (backend)
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: bhearsum, Assigned: serban.constantin)

References

Details

(Whiteboard: [lang=python][good first bug][ready]) 

We discovered recently that the public Balrog domains get very poor ratings from https://observatory.mozilla.org. Although most of the things we fail on probably aren't applicable to a read-only site like aus5.mozilla.org, it should be trivial to get them a much better rating.

Here's the specific things that are dragging us down:
[ -5] X-Content-Type-Options header not implemented
[ -10] Contribute.json file cannot be parsed
[ -10] X-XSS-Protection header not implemented
[ -20] HTTP Strict Transport Security (HSTS) header not implemented
[ -20] X-Frame-Options (XFO) header not implemented
[ -25] Content Security Policy (CSP) header not implemented

Most of these are just setting a header to the correct value, and Contribute.json should be similarly easy to implement.

I've asked ulfr to run a similar test on aus4-admin.mozilla.org. I'll post the results here when we get them back.
Priority: -- → P3
Whiteboard: [lang=python][good first bug] → [lang=python][good first bug][ready]
I'd like to take a stab at this if it's ok.
(In reply to Serban Constantin from comment #1)
> I'd like to take a stab at this if it's ok.

That would be great! As a first order of business I'd suggest making sure you can run the Docker containers and tests (http://mozilla-balrog.readthedocs.io/en/latest/contribute.html). Once you can, have a look at https://github.com/mozilla/balrog/blob/0a5fd1b0478d7c27b136fa0a0121f9b6743673ea/auslib/web/base.py#L31 and https://github.com/mozilla/balrog/blob/0a5fd1b0478d7c27b136fa0a0121f9b6743673ea/auslib/test/web/test_client.py#L888 - those are the most likely places for the new code & tests.

Some of these things (CSP, X-Content-Type-Options) have actually just been fixed in https://github.com/mozilla/balrog/commit/0a5fd1b0478d7c27b136fa0a0121f9b6743673ea, but the others still need addressing.

If you have any issues or questions, let me know here or in irc://irc.mozilla.org/#balrog.
After bug 1332829, this is the only thing that's dropping the score:

(In reply to Ben Hearsum (:bhearsum) from comment #0)
> [ -10] Contribute.json file cannot be parsed
(In reply to Ben Hearsum (:bhearsum) from comment #3)
> After bug 1332829, this is the only thing that's dropping the score:
> 
> (In reply to Ben Hearsum (:bhearsum) from comment #0)
> > [ -10] Contribute.json file cannot be parsed

Will take a look over it this weekend. As for the discussion/review, do you prefer to handle those things straight in the Github PR or here?
(In reply to Serban Constantin from comment #4)
> (In reply to Ben Hearsum (:bhearsum) from comment #3)
> > After bug 1332829, this is the only thing that's dropping the score:
> > 
> > (In reply to Ben Hearsum (:bhearsum) from comment #0)
> > > [ -10] Contribute.json file cannot be parsed
> 
> Will take a look over it this weekend. As for the discussion/review, do you
> prefer to handle those things straight in the Github PR or here?

PRs are best, please and thank you :)
Depends on: 1337379
Summary: balrog shoud get an A from mozilla observatory → balrog should get an A from mozilla observatory
Assignee: nobody → serban.constantin
Thank you Serban, this is now in production!
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Product: Release Engineering → Release Engineering Graveyard
You need to log in before you can comment on or make changes to this bug.