Page MenuHomePhabricator

Improve the default security headers on push-notifications
Closed, ResolvedPublic

Description

Finding from security review:

Security Headers

  • Given that push-notifications will be a private, internal, RESTful service accessed only by Wikimedia production infrastructure, security headers aren't quite as much of a concern here. But it likely wouldn't hurt to tighten the defaults. media-src, img-src and style-src could all be set to 'none', I believe. I'd also recommend adding base-uri: 'self' to the content-security-policy header, and possibly removing x-webkit-csp and x-content-security-policy since those headers are deprecated. It also wouldn't be a bad idea to enable hsts if my assumption above that this service will be forced over TLS is correct. And finally setting access-control-allow-origin to whatever the internal hostname of the service ends up being. Risk: low.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 11 2020, 9:38 AM

Note: I've submitted a pull request for the template code which should address this issue for new services in the future.

Change 627435 had a related patch set uploaded (by Jgiannelos; owner: Jgiannelos):
[mediawiki/services/push-notifications@master] Improve the default security headers on push-notifications

https://gerrit.wikimedia.org/r/627435

Change 627435 merged by jenkins-bot:
[mediawiki/services/push-notifications@master] Improve the default security headers on push-notifications

https://gerrit.wikimedia.org/r/627435

Mholloway triaged this task as High priority.Sep 15 2020, 3:41 PM
Mholloway closed this task as Resolved.Sep 15 2020, 4:43 PM
Mholloway added a subscriber: Mholloway.

I don't think this needs to wait in "To Deploy" for a service that isn't yet deployed to production. Let's call it resolved.