api.lando.devsvcdev.mozaws.net has failed the web security baseline
Categories
(Conduit :: Lando, defect, P2)
Tracking
(Not tracked)
People
(Reporter: psiinon, Unassigned)
Details
(Keywords: conduit-triaged)
Site https://api.lando.devsvcdev.mozaws.net has failed the web security baseline scan.
The failing tests are:
Strict-Transport-Security Header Not Set [10035] x 8
- https://api.lando.devsvcdev.mozaws.net/robots.txt (404 NOT FOUND)
- https://api.lando.devsvcdev.mozaws.net/sitemap.xml (404 NOT FOUND)
- https://api.lando.devsvcdev.mozaws.net/landings/update (400 BAD REQUEST)
- https://api.lando.devsvcdev.mozaws.net/requestSecApproval (400 BAD REQUEST)
- https://api.lando.devsvcdev.mozaws.net/stacks/revision_id (400 BAD REQUEST)
This issue was automatically raised.
This issue is managed automatically by the baseline scan:
- If the failing tests change then it will be updated
- If it is closed before the tests pass then a new one will be opened
- When all of the tests pass then it will be closed
Full details, including how to test for these issues locally, can be found on this Security Baseline Service dashboard.
If you have any questions or concerns please get in contact with @psiinon
|
||
Updated•5 years ago
|
:smacleod - These are all urls handled by the app not nginx.
nginx already sets STS here: https://github.com/mozilla-services/cloudops-infra/blob/master/projects/lando/k8s/charts/api/templates/nginx-configmap.yaml#L84
The app needs to set STS on the 4xx responses as well. We already set the CSP from the app, so it makes sense that the STS could/would be set there as well.
fwiw, I added 'always' to the STS option but there was no change in behavior.
|
||
Comment 2•5 years ago
•
|
||
Spoke too soon (and cursed kubernetes quite a bit in the process); The 'always' param did work. Nothing more to see here. Move along.
I will make the changes to all lando configs and redeploy.
On redeploy to -dev, I see STS enabled on all the urls mentioned above.
|
||
Comment 4•5 years ago
|
||
Description
•