Closed Bug 1468611 Opened 7 years ago Closed 6 years ago

please set additional response headers in balrog admin nginx

Categories

(Cloud Services :: Operations: Product Delivery, task)

Product:
Cloud Services
Component:
Operations: Product Delivery
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: bhearsum, Assigned: oremj)

References

Details

We should be setting the following for all responses: Strict-Transport-Security: max-age=31536000 Content-Security-Policy: default-src 'none'; frame-ancestors 'none' X-Content-Type-Options: nosniff X-Frame-Options: DENY Normally I'd set these somewhere in the container, but I have no way to set them for static files (which are served by uwsgi, which doesn't let you set response headers for static files...). Simon, are there any other headers you think we should be setting, too?
Flags: needinfo?(sbennetts)
Blocks: 1457904
Can you set Content-Type here or wont you be able to work out the right one? Other than that all looks good.
Flags: needinfo?(sbennetts)
(In reply to Simon Bennetts [:psiinon] from comment #1) > Can you set Content-Type here or wont you be able to work out the right one? > Other than that all looks good. Maybe...we'd have to be sure not to set it for responses that come from the wsgi app. And then we'd have to set it to different values for index.html, app.css, app.js, and the favicon I think?
Probably not worth doing for that, as long as something else sets them...
Assignee: nobody → oremj

Merged. Will go out in the next GCP deployment. Do you want these in AWS as well?

(In reply to Jeremy Orem [:oremj] from comment #5)

Merged. Will go out in the next GCP deployment. Do you want these in AWS as
well?

I think it's probably fine not to worry about AWS, it's going away soon enough.

Also, it looks like this CSP busts the site, because the js and css can't load :(. We need this change applied to fix it AFAICT. Sorry for the churn.

diff --git a/projects/balrog/k8s/charts/admin/templates/nginx-configmap.yaml b/projects/balrog/k8s/charts/admin/templates/nginx-configmap.yaml
index ae6efa18..8fb96fbc 100644
--- a/projects/balrog/k8s/charts/admin/templates/nginx-configmap.yaml
+++ b/projects/balrog/k8s/charts/admin/templates/nginx-configmap.yaml
@@ -77,17 +77,17 @@ data:
client_max_body_size 5M;

         # Health checks don't send an x-forwarded-proto header and we need to make sure they don't get infinite redirects
         if ($http_x_forwarded_proto = 'http') {
             return 302 {{ .Values.baseUrl }}$request_uri;
         }

         add_header Strict-Transport-Security "max-age=31536000" always;

  •        add_header Content-Security-Policy "default-src 'none'; frame-ancestors 'none'" always;

  •        add_header Content-Security-Policy "default-src 'self'; frame-ancestors 'none'" always;
       add_header X-Content-Type-Options "nosniff" always;
       add_header X-Frame-Options "DENY" always;

       location / {
           proxy_set_header x-forwarded-proto $http_x_forwarded_proto;
           proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
           proxy_set_header Host $http_host;
           proxy_redirect off;

Merged that change.

Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED

(In reply to Jeremy Orem [:oremj] from comment #7)

Merged that change.

With apologies for the churn, can we get rid of the Content-Security-Policy from nginx? I discovered that I can set it in a <meta> tag, which should be easier for everyone.

Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Status: REOPENED → RESOLVED
Closed: 6 years ago6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.