Page MenuHomePhabricator
Create Task
Maniphest T262652

Improve the default security headers on push-notifications
Closed, ResolvedPublic
Actions

Description

Finding from security review:

Security Headers

  • Given that push-notifications will be a private, internal, RESTful service accessed only by Wikimedia production infrastructure, security headers aren't quite as much of a concern here. But it likely wouldn't hurt to tighten the defaults. media-src, img-src and style-src could all be set to 'none', I believe. I'd also recommend adding base-uri: 'self' to the content-security-policy header, and possibly removing x-webkit-csp and x-content-security-policy since those headers are deprecated. It also wouldn't be a bad idea to enable hsts if my assumption above that this service will be forced over TLS is correct. And finally setting access-control-allow-origin to whatever the internal hostname of the service ends up being. Risk: low.

Details

ProjectBranchLines +/-Subject
mediawiki/services/push-notificationsmaster+2 -6Improve the default security headers on push-notifications
Customize query in gerrit

Related Objects
Search...

Event Timeline

Jgiannelos created this task.Sep 11 2020, 9:38 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 11 2020, 9:38 AM
Jgiannelos added a parent task: T246712: Security Readiness Review for push notifications infrastructure.Sep 11 2020, 9:47 AM
sbassett added a subscriber: sbassett.Sep 11 2020, 7:28 PM

Note: I've submitted a pull request for the template code which should address this issue for new services in the future.

Jgiannelos moved this task from Needs triage to Kanban on the Product-Infrastructure-Team-Backlog board.Sep 15 2020, 9:05 AM
Jgiannelos edited projects, added Product-Infrastructure-Team-Backlog (Kanban); removed Product-Infrastructure-Team-Backlog.
Jgiannelos claimed this task.Sep 15 2020, 9:12 AM
Jgiannelos moved this task from To Do to Doing on the Product-Infrastructure-Team-Backlog (Kanban) board.
gerritbot added a comment.Sep 15 2020, 9:35 AM

Change 627435 had a related patch set uploaded (by Jgiannelos; owner: Jgiannelos):
[mediawiki/services/push-notifications@master] Improve the default security headers on push-notifications

https://gerrit.wikimedia.org/r/627435

gerritbot added a project: Patch-For-Review.Sep 15 2020, 9:35 AM
Jgiannelos moved this task from Doing to Code Review on the Product-Infrastructure-Team-Backlog (Kanban) board.Sep 15 2020, 9:59 AM
gerritbot added a comment.Sep 15 2020, 10:50 AM

Change 627435 merged by jenkins-bot:
[mediawiki/services/push-notifications@master] Improve the default security headers on push-notifications

https://gerrit.wikimedia.org/r/627435

Jgiannelos moved this task from Code Review to To Deploy on the Product-Infrastructure-Team-Backlog (Kanban) board.Sep 15 2020, 1:52 PM
Mholloway triaged this task as High priority.Sep 15 2020, 3:41 PM
Mholloway closed this task as Resolved.Sep 15 2020, 4:43 PM
Mholloway added a subscriber: Mholloway.

I don't think this needs to wait in "To Deploy" for a service that isn't yet deployed to production. Let's call it resolved.

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL