Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Vulnerabilities: Missing HTTP Headers #2807

Closed
colton-nicotera opened this issue Aug 8, 2018 · 3 comments
Closed

Security Vulnerabilities: Missing HTTP Headers #2807

colton-nicotera opened this issue Aug 8, 2018 · 3 comments
Assignees
@richard-cox
Labels
bug in progress P1 Priority 1

Comments

@colton-nicotera
Copy link

colton-nicotera commented Aug 8, 2018
edited
Loading

Missing HttpOnly and Secure Attribute in Session Cookie

The console-session cookie is missing the HttpOnly and Secure attributes. This allows it to be accessed by external client-side scripts.
Reference: https://www.owasp.org/index.php/HttpOnly

Cacheable HTTPS Response
Some browsers, including Internet Explorer, cache content accessed via HTTPS. If sensitive information in application responses is stored in the local cache, then this may be retrieved by other users who have access to the same system at a future time.
Ideally, the web server should return the following HTTP headers in all responses containing sensitive content:
1- Cache-control: no-store
2- Pragma: no-cache
Example of an affected route: https://my.console:4443/pp/v1/auth/session/verify

Both of these issues are present on the all-in-one docker deployment.
@richard-cox
Copy link
Contributor

Ok, I've had a brief look into this and will probably need to bring in a few other people. Until then here's my initial findings.

HttpOnly, and Secure, should be set across all deployments as they go through the same session cookie path. Running in docker-compose (which is the same as in k8) successfully adds them however they're missing from both all-in-one and CF app deployment types. We'll need to investigate why the same process isn't applied to both.

For cache-control, we do add no-cache for static content in docker-compose and k8 but not for any jetstream requests (neither jetstream specific or proxied to a CF). What I think we'll need to do...

  • Add cache-control: no-cache to jetstream static file requests (this is only missing in types all-in-one and CF app)
  • Add cache-control: no-store to all non-static requests, or at least /auth and endpoint proxies.

For pragma, it looks like this is a client side specific request header and is not something we need to add to the response header.

@richard-cox richard-cox added bug P1 Priority 1 labels Aug 9, 2018
@richard-cox richard-cox self-assigned this Aug 23, 2018
@richard-cox
Copy link
Contributor

@nwmac PR created - nwmac/sqlitestore#3

@richard-cox richard-cox mentioned this issue Aug 24, 2018
Merged
@richard-cox
Copy link
Contributor

@colton-nicotera Thanks for raising this issue. We've addressed this in the following changes..
Session Cookies... #2911 + nwmac/sqlitestore#3
Caching... #2910
If you continue to see this issue or have any further questions please just let us know.

@nwmac nwmac mentioned this issue Sep 13, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@richard-cox richard-cox

Labels
bug in progress P1 Priority 1
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@colton-nicotera @richard-cox