Closed Bug 1302164 Opened 8 years ago Closed 8 years ago

balrog should get an A from mozilla observatory

Categories

(Release Engineering Graveyard :: Applications: Balrog (backend), defect, P3)

Product:
Release Engineering Graveyard
Component:
Applications: Balrog (backend)
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: bhearsum, Assigned: serban.constantin)

References

Details

(Whiteboard: [lang=python][good first bug][ready])

We discovered recently that the public Balrog domains get very poor ratings from https://observatory.mozilla.org. Although most of the things we fail on probably aren't applicable to a read-only site like aus5.mozilla.org, it should be trivial to get them a much better rating. Here's the specific things that are dragging us down: [ -5] X-Content-Type-Options header not implemented [ -10] Contribute.json file cannot be parsed [ -10] X-XSS-Protection header not implemented [ -20] HTTP Strict Transport Security (HSTS) header not implemented [ -20] X-Frame-Options (XFO) header not implemented [ -25] Content Security Policy (CSP) header not implemented Most of these are just setting a header to the correct value, and Contribute.json should be similarly easy to implement. I've asked ulfr to run a similar test on aus4-admin.mozilla.org. I'll post the results here when we get them back.
Priority: -- → P3
Whiteboard: [lang=python][good first bug] → [lang=python][good first bug][ready]
I'd like to take a stab at this if it's ok.
(In reply to Serban Constantin from comment #1) > I'd like to take a stab at this if it's ok. That would be great! As a first order of business I'd suggest making sure you can run the Docker containers and tests (http://mozilla-balrog.readthedocs.io/en/latest/contribute.html). Once you can, have a look at https://github.com/mozilla/balrog/blob/0a5fd1b0478d7c27b136fa0a0121f9b6743673ea/auslib/web/base.py#L31 and https://github.com/mozilla/balrog/blob/0a5fd1b0478d7c27b136fa0a0121f9b6743673ea/auslib/test/web/test_client.py#L888 - those are the most likely places for the new code & tests. Some of these things (CSP, X-Content-Type-Options) have actually just been fixed in https://github.com/mozilla/balrog/commit/0a5fd1b0478d7c27b136fa0a0121f9b6743673ea, but the others still need addressing. If you have any issues or questions, let me know here or in irc://irc.mozilla.org/#balrog.
After bug 1332829, this is the only thing that's dropping the score: (In reply to Ben Hearsum (:bhearsum) from comment #0) > [ -10] Contribute.json file cannot be parsed
(In reply to Ben Hearsum (:bhearsum) from comment #3) > After bug 1332829, this is the only thing that's dropping the score: > > (In reply to Ben Hearsum (:bhearsum) from comment #0) > > [ -10] Contribute.json file cannot be parsed Will take a look over it this weekend. As for the discussion/review, do you prefer to handle those things straight in the Github PR or here?
(In reply to Serban Constantin from comment #4) > (In reply to Ben Hearsum (:bhearsum) from comment #3) > > After bug 1332829, this is the only thing that's dropping the score: > > > > (In reply to Ben Hearsum (:bhearsum) from comment #0) > > > [ -10] Contribute.json file cannot be parsed > > Will take a look over it this weekend. As for the discussion/review, do you > prefer to handle those things straight in the Github PR or here? PRs are best, please and thank you :)
Depends on: 1337379
Summary: balrog shoud get an A from mozilla observatory → balrog should get an A from mozilla observatory
Assignee: nobody → serban.constantin
Thank you Serban, this is now in production!
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Product: Release Engineering → Release Engineering Graveyard
You need to log in before you can comment on or make changes to this bug.