balrog should get an A from mozilla observatory

RESOLVED FIXED

Status

Release Engineering
Applications: Balrog (backend)
P3
normal
RESOLVED FIXED
2 years ago
a year ago

People

(Reporter: bhearsum, Assigned: Serban Constantin)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [lang=python][good first bug][ready])

(Reporter)

Description

2 years ago
We discovered recently that the public Balrog domains get very poor ratings from https://observatory.mozilla.org. Although most of the things we fail on probably aren't applicable to a read-only site like aus5.mozilla.org, it should be trivial to get them a much better rating.

Here's the specific things that are dragging us down:
[ -5] X-Content-Type-Options header not implemented
[ -10] Contribute.json file cannot be parsed
[ -10] X-XSS-Protection header not implemented
[ -20] HTTP Strict Transport Security (HSTS) header not implemented
[ -20] X-Frame-Options (XFO) header not implemented
[ -25] Content Security Policy (CSP) header not implemented

Most of these are just setting a header to the correct value, and Contribute.json should be similarly easy to implement.

I've asked ulfr to run a similar test on aus4-admin.mozilla.org. I'll post the results here when we get them back.
(Reporter)

Updated

a year ago
Priority: -- → P3
Whiteboard: [lang=python][good first bug] → [lang=python][good first bug][ready]
(Assignee)

Comment 1

a year ago
I'd like to take a stab at this if it's ok.
(Reporter)

Comment 2

a year ago
(In reply to Serban Constantin from comment #1)
> I'd like to take a stab at this if it's ok.

That would be great! As a first order of business I'd suggest making sure you can run the Docker containers and tests (http://mozilla-balrog.readthedocs.io/en/latest/contribute.html). Once you can, have a look at https://github.com/mozilla/balrog/blob/0a5fd1b0478d7c27b136fa0a0121f9b6743673ea/auslib/web/base.py#L31 and https://github.com/mozilla/balrog/blob/0a5fd1b0478d7c27b136fa0a0121f9b6743673ea/auslib/test/web/test_client.py#L888 - those are the most likely places for the new code & tests.

Some of these things (CSP, X-Content-Type-Options) have actually just been fixed in https://github.com/mozilla/balrog/commit/0a5fd1b0478d7c27b136fa0a0121f9b6743673ea, but the others still need addressing.

If you have any issues or questions, let me know here or in irc://irc.mozilla.org/#balrog.
(Reporter)

Comment 3

a year ago
After bug 1332829, this is the only thing that's dropping the score:

(In reply to Ben Hearsum (:bhearsum) from comment #0)
> [ -10] Contribute.json file cannot be parsed
(Assignee)

Comment 4

a year ago
(In reply to Ben Hearsum (:bhearsum) from comment #3)
> After bug 1332829, this is the only thing that's dropping the score:
> 
> (In reply to Ben Hearsum (:bhearsum) from comment #0)
> > [ -10] Contribute.json file cannot be parsed

Will take a look over it this weekend. As for the discussion/review, do you prefer to handle those things straight in the Github PR or here?
(Reporter)

Comment 5

a year ago
(In reply to Serban Constantin from comment #4)
> (In reply to Ben Hearsum (:bhearsum) from comment #3)
> > After bug 1332829, this is the only thing that's dropping the score:
> > 
> > (In reply to Ben Hearsum (:bhearsum) from comment #0)
> > > [ -10] Contribute.json file cannot be parsed
> 
> Will take a look over it this weekend. As for the discussion/review, do you
> prefer to handle those things straight in the Github PR or here?

PRs are best, please and thank you :)
(Reporter)

Updated

a year ago
Depends on: 1337379
(Reporter)

Updated

a year ago
Summary: balrog shoud get an A from mozilla observatory → balrog should get an A from mozilla observatory
(Reporter)

Updated

a year ago
Assignee: nobody → serban.constantin
(Reporter)

Comment 7

a year ago
Thank you Serban, this is now in production!
Status: NEW → RESOLVED
Last Resolved: a year ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.