Closed Bug 1702338 Opened 4 years ago Closed 4 years ago

Configuration changes to Strict-Transport-Security header for Absearch

Categories

(Cloud Services :: Operations: absearch, task)

Product:
Cloud Services
Component:
Operations: absearch
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: ttran, Assigned: wezhou)

Details

Please kindly configure the Strict-Transport-Security header so that it appears for 404 requests as well.

This is so that absearch would be able to comply with the security baseline check.

Currently the following is not passing:

Strict-Transport-Security Header Not Set [10035] x 2

https://search.stage.mozaws.net/robots.txt (404 Not Found)
https://search.stage.mozaws.net/sitemap.xml (404 Not Found)
No longer depends on: 1688322

I see that in -prod, even for 404s, the Strict-Transport-Security header is returned, so I don't understand why you said the security baseline check didn't pass. For example,

 $ curl -I https://search.services.mozilla.com/sitemap.xml
HTTP/1.1 404 Not Found
Cache-Control: max-age=300
Content-Length: 0
Content-Security-Policy: default-src 'none'; frame-ancestors 'none'
Content-Type: application/json
Date: Wed, 21 Apr 2021 18:33:28 GMT
Strict-Transport-Security: max-age=15768000
X-Content-Type-Options: DENY
X-Frame-Options: DENY
Connection: keep-alive

Also, I see in https://github.com/mozilla-services/absearch/compare/2.0.2...2.0.3, you removed the Strict-Transport-Security header, which means if we were to deploy v2.0.3 to -prod, then that would break the security baseline check.

I'm confused.

Hi Wei,

So while absearch was on 2.0.2, Strict-Transport-Security appears twice as a header (ex https://search.services.mozilla.com/__version__) and once for 404s . I was not aware that it was already configured and the security baseline check did not pass because it appeared twice. So I thought removing it in the codebase would be easiest/bothered the least amount of people, hence 2.0.3, but then realized the security baseline check still didn't pass because it wasn't there for 404s anymore.

Currently, I was thinking that the changes for 2.0.3 and the changes in the deployment configuration would allow the security baseline check to pass as it would only appear once and appear for 404s?

Ok, that makes sense. Thank you for that.

https://github.com/mozilla-services/cloudops-deployment/pull/4241 is deployed to -stage along with v2.0.3. Please test it and let us know when it is ready for -prod.

Will do that and let you know, Thanks Wei!

Hi Wei,

Sorry that this took a while, but is it possible to push to prod when you're not busy?

No worries! And v2.0.3 along with https://github.com/mozilla-services/cloudops-deployment/pull/4241 is deployed to -prod.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.