Page MenuHomePhabricator
Create Task
Maniphest T326324

Node services should share code and configuration for security headers
Open, LowPublic
Actions

Description

Node services that expose public APIs should apply security headers to their responses. While some generic headers may be applied by the API gateway, API endpoints may want to provide headers tuned specifically to their response.

Sharing code for emitting security headers could be achieved by creating an npm module for this purpose. This npm module should then be referenced from the service template / scaffolding.

Beyond sharing code, services also need to share knowledge about the deployment environment, in the form of configuration. This includes knowledge e.g. about trusted sources for media files or JavaScript code. This could perhaps be done using Helm charts, k8s config maps, or etcd.

Related Objects

Event Timeline

daniel created this task.Jan 5 2023, 2:45 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 5 2023, 2:45 PM
daniel renamed this task from Node services should ahre code and configuration for security headers to Node services should share code and configuration for security headers.Jan 9 2023, 9:13 AM
daniel added subscribers: sbassett, MSantos.
daniel added subscribers: Joe, dduvall, hnowlan.
VirginiaPoundstone mentioned this in T326698: Write One-Pager PRD for Harden API Gateway.Jan 25 2023, 1:34 PM
daniel triaged this task as Low priority.Jun 5 2023, 6:00 PM
MSantos removed a project: RESTBase Sunsetting.Nov 21 2024, 12:38 PM

I am removing RESTBase Sunsetting as this is not needed for its completion. Please, re-add it if needed.

MSantos added a comment.Nov 21 2024, 12:40 PM

Also, we might want to have a broader conversation since we have other initiatives improving the nodejs ecosystem, see T357950: Remove servicerunner dependency for cxserver

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits