-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security headers not present in responses #7398
Comments
Hello, |
Hi there, thanks for the quick response! These headers were previously implemented, presumably as a feature to make this project more secure. They were removed because they conflicted with some service called "kibana" in commit 2e9b17a. I guess I would consider that commit to be the commit that introduced the intended behavior of "fixing interactions with kibana" with the unintended behavior of "reducing the security of this project", as there doesn't seem to be something that accounts for the lost behavior that those security headers provided. For what it's worth, it doesn't seem like kibana is used in this project anymore, but I might be missing something. I realize there is a separate route I could have taken to address this issue by emailing secure@cvat.ai, but the impact of these changes didn't seem to warrant a non-github approach. If you would prefer I do that, please let me know. |
I'll be taking this up. |
Hello @nmanovic requesting for assignment of this issue. I recreated this issue in the dev envorinment. The solution is to add the security headers removed during the Kibana migration back into the security headers
|
@SpecLad , could you please comment on the proposed solution? |
A few comments:
|
Added security headers for Referrer-Policy, X-Content-Type-Options. Referring to Issue #7398, Added additional security headers. Added to address the deduction in security score rating third party scanners. - Referrer-Policy "strict-origin-when-cross-origin";: Limit the referrer information sent when a user navigates away from the website - X-Content-Type-Options "nosniff";: Prevent browsers from attempting to MIME-sniff the content type of a response to reduce risk of XSS and Content Injection Co-authored-by: Roman Donchenko <rdonchen@outlook.com>
Actions before raising this issue
Steps to Reproduce
Expected Behavior
I would expect response headers related to security would be present. It seems these three used to be in previous versions, but the switch to using Traefik dropped them. These headers include (taking information from https://github.com/opencv/cvat/blob/v1.2.0/cvat/apps/documentation/installation.md#serving-over-https):
Possible Solution
Add these headers into the Traefik config. See the FILE (YAML) tabs here: https://doc.traefik.io/traefik/v2.9/middlewares/http/headers/
Context
We have a third party which rates our security score, and not having these headers on responses results in a minor deduction.
Environment
The text was updated successfully, but these errors were encountered: