Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

#2307 - WAVA scan headers update #2403

Merged
merged 4 commits into from
Oct 11, 2023

Conversation

guru-aot
Copy link
Collaborator

@guru-aot guru-aot commented Oct 11, 2023

image

  • Missing or insecure "X-Content-Type-Options" header

add_header 'X-Content-Type-Options' "nosniff";

  • Missing "Content-Security-Policy" header

add_header 'Content-Security-Policy' "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'";

  • Missing or insecure HTTP Strict-Transport-Security Header

add_header 'Strict-Transport-Security' "max-age=31536000; includeSubDomains; preload";

  • Missing "Referrer policy" Security Header

add_header 'Referrer-Policy' "same-origin";

As we are not setting any cookie our application, we are not fixing the "Cookie with Insecure or Improper or Missing SameSite attribute" issue.

@@ -13,4 +13,10 @@ http {
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what about Gzip compression settings which is mentioned in the ticket (from rocket chat)?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@@ -13,4 +13,10 @@ http {
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
add_header 'X-Content-Type-Options' "nosniff";
add_header 'Content-Security-Policy' "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'";
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The conf file share from other project in story has more headers and more CSP config values. Are we considering it?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No currently we are valiating only the medium wava scan issues.

Copy link
Collaborator

@sh16011993 sh16011993 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work 👍 @guru-aot

Copy link
Contributor

@ann-aot ann-aot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM @guru-aot 👍 Nice work

@sonarqubecloud
Copy link

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

@github-actions
Copy link

Backend Unit Tests Coverage Report

Totals Coverage
Statements: 17.44% ( 2205 / 12643 )
Methods: 8.1% ( 129 / 1593 )
Lines: 20.18% ( 1932 / 9573 )
Branches: 9.75% ( 144 / 1477 )

@github-actions
Copy link

E2E Workflow Workers Coverage Report

Totals Coverage
Statements: 46.73% ( 300 / 642 )
Methods: 40% ( 32 / 80 )
Lines: 51.02% ( 251 / 492 )
Branches: 24.29% ( 17 / 70 )

@github-actions
Copy link

E2E Queue Consumers Coverage Report

Totals Coverage
Statements: 74.93% ( 514 / 686 )
Methods: 67.47% ( 56 / 83 )
Lines: 76.96% ( 451 / 586 )
Branches: 41.18% ( 7 / 17 )

Copy link
Collaborator

@andrewsignori-aot andrewsignori-aot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work, looks good 👍

Copy link
Collaborator

@dheepak-aot dheepak-aot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work @guru-aot 👍

Copy link
Collaborator

@andrepestana-aot andrepestana-aot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

@guru-aot guru-aot merged commit 123e1eb into release/v1.2.0 Oct 11, 2023
@guru-aot guru-aot deleted the #2307_Wava_scan_Headers_Update branch October 11, 2023 19:41
@github-actions
Copy link

E2E SIMS API Coverage Report

Totals Coverage
Statements: 54.9% ( 4025 / 7331 )
Methods: 51.89% ( 493 / 950 )
Lines: 59.74% ( 3269 / 5472 )
Branches: 28.93% ( 263 / 909 )

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants