Closed
Bug 1302164
Opened 8 years ago
Closed 7 years ago
balrog should get an A from mozilla observatory
Categories
(Release Engineering Graveyard :: Applications: Balrog (backend), defect, P3)
Release Engineering Graveyard
Applications: Balrog (backend)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: bhearsum, Assigned: serban.constantin)
References
Details
(Whiteboard: [lang=python][good first bug][ready])
We discovered recently that the public Balrog domains get very poor ratings from https://observatory.mozilla.org. Although most of the things we fail on probably aren't applicable to a read-only site like aus5.mozilla.org, it should be trivial to get them a much better rating. Here's the specific things that are dragging us down: [ -5] X-Content-Type-Options header not implemented [ -10] Contribute.json file cannot be parsed [ -10] X-XSS-Protection header not implemented [ -20] HTTP Strict Transport Security (HSTS) header not implemented [ -20] X-Frame-Options (XFO) header not implemented [ -25] Content Security Policy (CSP) header not implemented Most of these are just setting a header to the correct value, and Contribute.json should be similarly easy to implement. I've asked ulfr to run a similar test on aus4-admin.mozilla.org. I'll post the results here when we get them back.
Reporter | ||
Updated•7 years ago
|
Priority: -- → P3
Whiteboard: [lang=python][good first bug] → [lang=python][good first bug][ready]
Assignee | ||
Comment 1•7 years ago
|
||
I'd like to take a stab at this if it's ok.
Reporter | ||
Comment 2•7 years ago
|
||
(In reply to Serban Constantin from comment #1) > I'd like to take a stab at this if it's ok. That would be great! As a first order of business I'd suggest making sure you can run the Docker containers and tests (http://mozilla-balrog.readthedocs.io/en/latest/contribute.html). Once you can, have a look at https://github.com/mozilla/balrog/blob/0a5fd1b0478d7c27b136fa0a0121f9b6743673ea/auslib/web/base.py#L31 and https://github.com/mozilla/balrog/blob/0a5fd1b0478d7c27b136fa0a0121f9b6743673ea/auslib/test/web/test_client.py#L888 - those are the most likely places for the new code & tests. Some of these things (CSP, X-Content-Type-Options) have actually just been fixed in https://github.com/mozilla/balrog/commit/0a5fd1b0478d7c27b136fa0a0121f9b6743673ea, but the others still need addressing. If you have any issues or questions, let me know here or in irc://irc.mozilla.org/#balrog.
Reporter | ||
Comment 3•7 years ago
|
||
After bug 1332829, this is the only thing that's dropping the score: (In reply to Ben Hearsum (:bhearsum) from comment #0) > [ -10] Contribute.json file cannot be parsed
Assignee | ||
Comment 4•7 years ago
|
||
(In reply to Ben Hearsum (:bhearsum) from comment #3) > After bug 1332829, this is the only thing that's dropping the score: > > (In reply to Ben Hearsum (:bhearsum) from comment #0) > > [ -10] Contribute.json file cannot be parsed Will take a look over it this weekend. As for the discussion/review, do you prefer to handle those things straight in the Github PR or here?
Reporter | ||
Comment 5•7 years ago
|
||
(In reply to Serban Constantin from comment #4) > (In reply to Ben Hearsum (:bhearsum) from comment #3) > > After bug 1332829, this is the only thing that's dropping the score: > > > > (In reply to Ben Hearsum (:bhearsum) from comment #0) > > > [ -10] Contribute.json file cannot be parsed > > Will take a look over it this weekend. As for the discussion/review, do you > prefer to handle those things straight in the Github PR or here? PRs are best, please and thank you :)
Comment 6•7 years ago
|
||
Commit pushed to master at https://github.com/mozilla/balrog https://github.com/mozilla/balrog/commit/df8c0af96753702989e48d60d1715e3a2aefc748 bug 1302164: add contribute.json (#237). r=bhearsum
Reporter | ||
Updated•7 years ago
|
Summary: balrog shoud get an A from mozilla observatory → balrog should get an A from mozilla observatory
Reporter | ||
Updated•7 years ago
|
Assignee: nobody → serban.constantin
Reporter | ||
Comment 7•7 years ago
|
||
Thank you Serban, this is now in production!
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Updated•4 years ago
|
Product: Release Engineering → Release Engineering Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•