Page MenuHomePhabricator

Ensure that production deployment includes a Strict-Transport-Security header for
Closed, ResolvedPublic


Security Review Summary - T273020 - 2021-08-09
Last commit reviewed: d9e475d1ff13


Security Headers
A few security headers are not being served, at least when I run the docker-compose environment locally. Probably the most important missing header is HSTS, and possibly CSP, though the latter likely isn't necessary for Toolhub. Risk: Low.

Mostly we need to figure out if the HSTS header will be added by an intermediate service (varnish, k8s ingress, etc) or should be emitted directly from the Toolhub backend.

Event Timeline

Looks like the header will be set by Varnish.

That makes sense as the CDN edge is in control of the TLS certificates and encryption to the browser. I will leave this open until we can verify that the header is indeed being added as expected. That will be possible after we connect the CDN edge to the Kubernetes service to create in ingress for

bd808 claimed this task.
bd808 triaged this task as Medium priority.
bd808 moved this task from Backlog to Research needed on the Toolhub board.

I have verified that the CDN edge is adding strict-transport-security: max-age=106384710; includeSubDomains; preload as hoped.