Page MenuHomePhabricator

Add proper security headers to Query Builder
Open, MediumPublic3 Estimated Story Points

Description

Toolforge tool: https://securityheaders.com/?q=https%3A%2F%2Fquery-builder-test.toolforge.org%2F&followRedirects=on (redirects to production tool)
Production deployment: https://securityheaders.com/?q=https%3A%2F%2Fquery.wikidata.org%2Fquerybuilder%2F&followRedirects=on

Acceptance Criteria πŸ•οΈπŸŒŸ (September 2021)

  • Deployed query builder sites have security headers (Including CSP)

Event Timeline

Is this task about the current Toolforge deployment or the eventual production one? Because I expect the way to configure these headers will be totally different for both.

The eventual production one. We discussed that these headers are likely not to be added in the Query Builder code itself, but in the Apache server configuration, which probably does not live inside the Query Builder Repo. Though adding them to the test-server as well could be a decent test-run.

(So maybe this task should (also) be a sub-task to some deployment ticket?)

We discussed that these headers are likely not to be added in the Query Builder code itself, but in the Apache server configuration, which probably does not live inside the Query Builder Repo.

+1 from the Security-Team for this approach, as there can be issues when attempting to serve CSP at the app layer (see T238367).

For a moment I thought GNU Terry Pratchett was missing. Fortunately there is. Nice!

If this is prominently featured there, then ok. Alternatively, this ticket could live as a subtask of T266703 directly?

I just want to prevent us from overlooking this task in the long list of ACs in T266703. Especially because the Query Builder will work without these headers, so we might not even notice it until the security team gives us the evil eye.

Especially because the Query Builder will work without these headers, so we might not even notice it until the security team gives us the evil eye.

πŸ‘€

Change 708463 had a related patch set uploaded (by Ladsgroup; author: Ladsgroup):

[operations/puppet@production] miscweb: Add CSP headers for query builder

https://gerrit.wikimedia.org/r/708463

Addshore triaged this task as Medium priority.Wed, Sep 15, 8:13 AM
Addshore updated the task description. (Show Details)
Addshore removed a subscriber: β€’ bete.
Addshore set the point value for this task to 3.Wed, Sep 15, 10:27 AM

Left a comment on the patch that we need to decide how to address, will put this in waiting until that decision is made.

Should put in a request to deploy here once we agree on the added configuration https://wikitech.wikimedia.org/wiki/Deployments#deploycal-item-20210921T1600

Yup. I might be able to ask people to get it deployed sooner but that's the safest bet.

Change 708463 merged by RLazarus:

[operations/puppet@production] miscweb: Add CSP headers for query builder

https://gerrit.wikimedia.org/r/708463

securityheaders.com is still giving a D grade. It looks like cp4030 still has cached headers, I can also see them when I SSH into bast4003 and make a request from there.

Should we try to purge it manually somehow? Or just assume it’s going to expire eventually?

Mentioned in SAL (#wikimedia-operations) [2021-09-23T15:54:52Z] <Lucas_WMDE> lucaswerkmeister-wmde@mwmaint1002:~$ echo 'https://query.wikidata.org/querybuilder/' | mwscript purgeList.php # T285761

Looks like purging it with purgeList.php worked \o/