Add missing headers to appmaker and http-helper

RESOLVED INCOMPLETE

Status

Webmaker
DevOps
RESOLVED INCOMPLETE
4 years ago
a year ago

People

(Reporter: jp, Assigned: jp)

Tracking

Details

(Assignee)

Description

4 years ago
https://stooge.mozillalabs.com/#/results/latest shows a lot of our apps not sending a few types headers, including:

xfo xxp xcto csp hsts

I'm starting with my app, http_helper, and also then doing appmaker.
(Assignee)

Comment 2

4 years ago
Commits pushed to master at https://github.com/mozilla/http_helper

https://github.com/mozilla/http_helper/commit/3a08f68f16a7111367b3b2d5ca9699b14d1897da
Use helmet, and set options for XSS, XFO for bug 1017175

https://github.com/mozilla/http_helper/commit/b75c3db66d51650c1ad9bbeb0ff820f44e2c0747
Merge pull request #1 from mozilla/helmet

Use helmet, and set options for XSS, XFO for bug 1017175
(Assignee)

Comment 3

4 years ago
v0.3.0 of http_helper is pushed out, and includes XSS protection, XFO set to DENY, and Powered-by suppressed.

Response headers before I pushed this version of http_helper:

Connection:keep-alive
Content-Length:32
Content-Type:text/plain
Date:Wed, 28 May 2014 21:13:04 GMT
X-Powered-By:Express

After:
Connection:keep-alive
Date:Wed, 28 May 2014 21:39:08 GMT
ETag:"2083392439"
X-FRAME-OPTIONS:DENY
X-XSS-Protection:1; mode=block

I want to also add HSTS to this, having now added the mofoprod cert to https://redirect.mofoprod.net/healthcheck
(Assignee)

Comment 4

4 years ago
Commit pushed to headers at https://github.com/jdotpz/appmaker

https://github.com/jdotpz/appmaker/commit/437837a78ac981512111c9beb969bd29e821a8cc
Add security headers, configured on or off in .env, provided by helmet module for bug 1017175
(Assignee)

Comment 5

4 years ago
Hmmm, locally this is working:

Connection:keep-alive
Content-Length:8635
Content-Type:text/html; charset=utf-8
Date:Thu, 29 May 2014 02:16:38 GMT
ETag:"519933736"
Set-Cookie:webmakerlogin=s%3Aj%3A%7B%7D.12lEXp%2FF9cwd24gSWIhPFGWkqBBQ26o%2F6%2FEN83oT1fI; Domain=dummydummy; Path=/; Expires=Fri, 29 May 2015 02:16:38 GMT; HttpOnly
X-FRAME-OPTIONS:DENY
X-XSS-Protection:1; mode=block

Same options on my Heroku version do not show X-FRAME-OPTIONS nor X-XSS-Protection.
Connection:keep-alive
Content-Length:8635
Content-Type:text/html; charset=utf-8
Date:Thu, 29 May 2014 02:18:15 GMT
Etag:"519933736"
Status: NEW → ASSIGNED
(Assignee)

Comment 6

4 years ago
Ah, figured out that the branch I thought was up on heroku was not.

I changed the settings to default to security headers/hsts on, and added a note in the README talking about HSTS and forcing https.  

New pull request : https://github.com/mozilla-appmaker/appmaker/pull/1333
Testing Demo:  https://jps-appmaker.herokuapp.com


My test site shows all the headers properly set.  
Remote Address:54.225.170.60:443
Request URL:https://jps-appmaker.herokuapp.com/
Request Method:GET
Status Code:200 OK
Request Headersview source
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Cache-Control:no-cache
Connection:keep-alive
Cookie:webmakerlogin=s%3Aj%3A%7B%22user%22%3A%7B%22avatar%22%3A%22https%3A%2F%2Fsecure.gravatar.com%2Favatar%2F5237066634d5249ba437363762ca5a38%3Fs%3D26%26d%3Dhttps%253A%252F%252Fstuff.webmaker.org%252Favatars%252Fwebmaker-avatar-44x44.png%22%2C%22emailHash%22%3A%225237066634d5249ba437363762ca5a38%22%2C%22displayName%22%3A%22jdotp%22%2C%22id%22%3A9%2C%22email%22%3A%22johns%40mozillafoundation.org%22%2C%22username%22%3A%22jdotp%22%2C%22fullName%22%3A%22jdotp%22%2C%22deletedAt%22%3Anull%2C%22isAdmin%22%3Afalse%2C%22isSuspended%22%3Afalse%2C%22sendNotifications%22%3Afalse%2C%22sendEngagements%22%3Afalse%2C%22wasMigrated%22%3Atrue%2C%22createdAt%22%3A%222013-07-25T17%3A54%3A19.000Z%22%2C%22updatedAt%22%3A%222014-04-17T19%3A56%3A26.000Z%22%2C%22isCollaborator%22%3Afalse%2C%22sendEventCreationEmails%22%3Atrue%2C%22lastLoggedIn%22%3A%222014-04-17T19%3A56%3A26.000Z%22%2C%22subscribeToWebmakerList%22%3Afalse%2C%22referrer%22%3Anull%2C%22preflocale%22%3A%22en-US%22%7D%2C%22email%22%3A%22johns%40mozillafoundation.org%22%7D.ay2ZPeMiVhDWnim1D2J3vzraP1UctLvCrFdUOoINis0
Host:jps-appmaker.herokuapp.com
Pragma:no-cache
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
Response Headersview source
Connection:keep-alive
Content-Length:8635
Content-Type:text/html; charset=utf-8
Date:Fri, 30 May 2014 19:48:44 GMT
Etag:"519933736"
Strict-Transport-Security:max-age=15768000
X-Frame-Options:DENY
X-Xss-Protection:1; mode=block
Closing this out as we move to deprecate the Webmaker Component.

Issues can be re-filed at https://github.com/mozillafoundation/mofo-devops/issues/new if required.
Status: ASSIGNED → RESOLVED
Last Resolved: a year ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.