Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Get A+ on Mozilla Observatory for servo.org #473

Open
aneeshusa opened this issue Aug 25, 2016 · 9 comments
Open

Get A+ on Mozilla Observatory for servo.org #473

aneeshusa opened this issue Aug 25, 2016 · 9 comments
Milestone
Infra Security

Comments

@aneeshusa
Copy link
Contributor

aneeshusa commented Aug 25, 2016
edited
Loading

Observatory by Mozilla is a project designed to help developers, system administrators, and security professionals configure their sites safely and securely.

Scan results: https://observatory.mozilla.org/analyze.html?host=servo.org

This should mostly entail adding headers via Ngnix.

Files:

  • nginx/default

Add a new test file(s) in the tests/sls/nginx dir. See the test added in #375 for an example.
@aneeshusa
Copy link
Contributor Author

aneeshusa commented Aug 26, 2016
edited
Loading

Something that caught my eye is that we are failing the cookie test, even though we ourselves don't set any cookies. It turns out CloudFlare is adding a __cfuid cookie which 1) cannot be disabled, 2) does not have the Secure flag set, and 3) is sent even on http connections, not just https connections. I'm guessing we can't do anything about this, so that's not part of the E-easy. cc @edunham in case you know a workaround

@aneeshusa aneeshusa reopened this Aug 26, 2016
@aneeshusa
Copy link
Contributor Author

Oops, misclick.

@aneeshusa
Copy link
Contributor Author

Bonus points if you utilize the actual http observatory code for the test instead of just checking headers.

@jarondl
Copy link

jarondl commented Sep 16, 2016

I have started investigating this issue, and this is my current understanding:

  1. servo.org , starters.servo.org , and download.servo.org are all hosted on github pages (on separate repos) with cloudflare in-front.
    For them, the nginx configuration file is irrelevant. Maybe the headers can be added via cloudfront page rules, but i.d.k
  2. build.servo.org is using the nginx server defined using saltstack. It is not even https, so it cannot pass the observatory requirements. We should first convert it to https (getting a certificate etc.), and only then can we try to get high scores on the observatory.

Are there other subdomains I haven't found?

@aneeshusa
Copy link
Contributor Author

@jarondl The only other subdomain I know of is dl.servo.org (which currently gets TLS errors because we don't have SANs on our download.servo.org cert); maybe @edunham or @larsbergstrom knows about more about that or adding headers in cloudfront/cloudflare.

(I think download.servo.org is on S3 with some redirection magic, not GH pages.)

We are planning to add https to build.servo.org; see #423 for the tracking issue. Even while that is in progress, we can still work on adding the appropriate headers to Nginx; it's not necessary to go from ~0 to 100% in one step. I can assign you if you would like to work on this.

@jarondl
Copy link

jarondl commented Sep 19, 2016

There is also blog.servo.org, which is also gh-pages with cloudflare.
Yes, I would like to work on this, please assign me.

@aneeshusa
Copy link
Contributor Author

@jarondl It's yours, please ask if you have any questions.

@aneeshusa
Copy link
Contributor Author

@jarondl How is this going? Anything that I can clear up for you?

jarondl added a commit to jarondl/saltfs that referenced this issue Oct 17, 2016
@jarondl
Add security related headers to build.servo.org
526d614 
Add some headers to `build.servo.org` to improve our Mozilla Observatory
score. The helps the cause of servo#473, by raising our score from F (0) to a
whopping B- (65). The testing is still basic, the docker-observatory
based testing will go in a different PR.

To get to an A+ we must first implement https.

This is the local observatory report:

   Score Rule                       Description
      -20 redirection                Does not redirect to an https site.
      -20 strict-transport-security  HTTP Strict Transport Security (HSTS)
        header cannot be set for sites not available over https.
       -5 contribute                 Contribute.json file missing from root
        of website.
        5 content-security-policy    Content Security Policy (CSP)
        implemented without 'unsafe-inline' or 'unsafe-eval'.
        5 x-frame-options            X-Frame-Options (XFO) implemented via
        the CSP frame-ancestors directive.

    Score: 65
    Grade: B-
@jarondl jarondl mentioned this issue Oct 17, 2016
Closed
@jarondl
Copy link

jarondl commented Oct 18, 2016

Hi @aneeshusa , The headers and the simple checks were easy, just reading through the docs to see what applies. Basically, both homu and buildbot don't use external resources, so it's very easy.

Running the Mozilla observatory locally with localhost and custom ports was more involved. I have managed it locally, but I want a more robust solution before including that in the tests. It does, however, require docker and docker-compose. Both are available on travis, but not on our Vagrant setup. Do you think that's a reasonable dependency?

@jarondl jarondl mentioned this issue Oct 20, 2016
Closed
@edunham edunham modified the milestone: Infra Security Jul 14, 2017
@jdm jdm removed the E-easy label Feb 14, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Infra Security
Development

No branches or pull requests
4 participants
@jdm @edunham @aneeshusa @jarondl