Closed
Bug 1017175
Opened 10 years ago
Closed 7 years ago
Add missing headers to appmaker and http-helper
Categories
(Webmaker Graveyard :: DevOps, defect)
Tracking
(Not tracked)
RESOLVED
INCOMPLETE
People
(Reporter: johns, Assigned: johns)
Details
https://stooge.mozillalabs.com/#/results/latest shows a lot of our apps not sending a few types headers, including: xfo xxp xcto csp hsts I'm starting with my app, http_helper, and also then doing appmaker.
|
Assignee | |
Comment 1•10 years ago
|
||
Commit pushed to helmet at https://github.com/mozilla/http_helper https://github.com/mozilla/http_helper/commit/3a08f68f16a7111367b3b2d5ca9699b14d1897da Use helmet, and set options for XSS, XFO for bug 1017175
|
|
Assignee | |
Comment 2•10 years ago
|
||
Commits pushed to master at https://github.com/mozilla/http_helper https://github.com/mozilla/http_helper/commit/3a08f68f16a7111367b3b2d5ca9699b14d1897da Use helmet, and set options for XSS, XFO for bug 1017175 https://github.com/mozilla/http_helper/commit/b75c3db66d51650c1ad9bbeb0ff820f44e2c0747 Merge pull request #1 from mozilla/helmet Use helmet, and set options for XSS, XFO for bug 1017175
|
|
Assignee | |
Comment 3•10 years ago
|
||
v0.3.0 of http_helper is pushed out, and includes XSS protection, XFO set to DENY, and Powered-by suppressed. Response headers before I pushed this version of http_helper: Connection:keep-alive Content-Length:32 Content-Type:text/plain Date:Wed, 28 May 2014 21:13:04 GMT X-Powered-By:Express After: Connection:keep-alive Date:Wed, 28 May 2014 21:39:08 GMT ETag:"2083392439" X-FRAME-OPTIONS:DENY X-XSS-Protection:1; mode=block I want to also add HSTS to this, having now added the mofoprod cert to https://redirect.mofoprod.net/healthcheck
|
|
Assignee | |
Comment 4•10 years ago
|
||
Commit pushed to headers at https://github.com/jdotpz/appmaker https://github.com/jdotpz/appmaker/commit/437837a78ac981512111c9beb969bd29e821a8cc Add security headers, configured on or off in .env, provided by helmet module for bug 1017175
|
|
Assignee | |
Comment 5•10 years ago
|
||
Hmmm, locally this is working: Connection:keep-alive Content-Length:8635 Content-Type:text/html; charset=utf-8 Date:Thu, 29 May 2014 02:16:38 GMT ETag:"519933736" Set-Cookie:webmakerlogin=s%3Aj%3A%7B%7D.12lEXp%2FF9cwd24gSWIhPFGWkqBBQ26o%2F6%2FEN83oT1fI; Domain=dummydummy; Path=/; Expires=Fri, 29 May 2015 02:16:38 GMT; HttpOnly X-FRAME-OPTIONS:DENY X-XSS-Protection:1; mode=block Same options on my Heroku version do not show X-FRAME-OPTIONS nor X-XSS-Protection. Connection:keep-alive Content-Length:8635 Content-Type:text/html; charset=utf-8 Date:Thu, 29 May 2014 02:18:15 GMT Etag:"519933736"
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 6•10 years ago
|
||
Ah, figured out that the branch I thought was up on heroku was not. I changed the settings to default to security headers/hsts on, and added a note in the README talking about HSTS and forcing https. New pull request : https://github.com/mozilla-appmaker/appmaker/pull/1333 Testing Demo: https://jps-appmaker.herokuapp.com My test site shows all the headers properly set. Remote Address:54.225.170.60:443 Request URL:https://jps-appmaker.herokuapp.com/ Request Method:GET Status Code:200 OK Request Headersview source Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Encoding:gzip,deflate,sdch Accept-Language:en-US,en;q=0.8 Cache-Control:no-cache Connection:keep-alive Cookie:webmakerlogin=s%3Aj%3A%7B%22user%22%3A%7B%22avatar%22%3A%22https%3A%2F%2Fsecure.gravatar.com%2Favatar%2F5237066634d5249ba437363762ca5a38%3Fs%3D26%26d%3Dhttps%253A%252F%252Fstuff.webmaker.org%252Favatars%252Fwebmaker-avatar-44x44.png%22%2C%22emailHash%22%3A%225237066634d5249ba437363762ca5a38%22%2C%22displayName%22%3A%22jdotp%22%2C%22id%22%3A9%2C%22email%22%3A%22johns%40mozillafoundation.org%22%2C%22username%22%3A%22jdotp%22%2C%22fullName%22%3A%22jdotp%22%2C%22deletedAt%22%3Anull%2C%22isAdmin%22%3Afalse%2C%22isSuspended%22%3Afalse%2C%22sendNotifications%22%3Afalse%2C%22sendEngagements%22%3Afalse%2C%22wasMigrated%22%3Atrue%2C%22createdAt%22%3A%222013-07-25T17%3A54%3A19.000Z%22%2C%22updatedAt%22%3A%222014-04-17T19%3A56%3A26.000Z%22%2C%22isCollaborator%22%3Afalse%2C%22sendEventCreationEmails%22%3Atrue%2C%22lastLoggedIn%22%3A%222014-04-17T19%3A56%3A26.000Z%22%2C%22subscribeToWebmakerList%22%3Afalse%2C%22referrer%22%3Anull%2C%22preflocale%22%3A%22en-US%22%7D%2C%22email%22%3A%22johns%40mozillafoundation.org%22%7D.ay2ZPeMiVhDWnim1D2J3vzraP1UctLvCrFdUOoINis0 Host:jps-appmaker.herokuapp.com Pragma:no-cache User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Response Headersview source Connection:keep-alive Content-Length:8635 Content-Type:text/html; charset=utf-8 Date:Fri, 30 May 2014 19:48:44 GMT Etag:"519933736" Strict-Transport-Security:max-age=15768000 X-Frame-Options:DENY X-Xss-Protection:1; mode=block
|
||
Comment 7•7 years ago
|
||
Closing this out as we move to deprecate the Webmaker Component. Issues can be re-filed at https://github.com/mozillafoundation/mofo-devops/issues/new if required.
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → INCOMPLETE
You need to log in
before you can comment on or make changes to this bug.
Description
•