#2307 - WAVA scan headers update #2403
Conversation
guru-aot
requested review from
sh16011993,
dheepak-aot,
andrewsignori-aot,
ann-aot,
andrepestana-aot and
JasonCTang
| @@ -13,4 +13,10 @@ http { | |||
| default_type application/octet-stream; | |||
| sendfile on; | |||
| keepalive_timeout 65; | |||
| server { | |||
There was a problem hiding this comment.
what about Gzip compression settings which is mentioned in the ticket (from rocket chat)?
There was a problem hiding this comment.
https://app.zenhub.com/workspaces/student-information-management-system-5fce9df5aa1b45000e937014/issues/gh/bcgov/sims/2406 created for the validation whether the setting is needed or not
sources/packages/web/nginx.conf
Outdated
| @@ -13,4 +13,10 @@ http { | |||
| default_type application/octet-stream; | |||
| sendfile on; | |||
| keepalive_timeout 65; | |||
| server { | |||
| add_header 'X-Content-Type-Options' "nosniff"; | |||
| add_header 'Content-Security-Policy' "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'"; | |||
There was a problem hiding this comment.
The conf file share from other project in story has more headers and more CSP config values. Are we considering it?
There was a problem hiding this comment.
No currently we are valiating only the medium wava scan issues.
|
Kudos, SonarCloud Quality Gate passed!
|
Backend Unit Tests Coverage Report
|
E2E Workflow Workers Coverage Report
|
E2E Queue Consumers Coverage Report
|
E2E SIMS API Coverage Report
|
As we are not setting any cookie our application, we are not fixing the "Cookie with Insecure or Improper or Missing SameSite attribute" issue.