Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

satellite/console: Add security headers #3615

Merged
merged 14 commits into from
Nov 21, 2019
Merged

satellite/console: Add security headers #3615

merged 14 commits into from
Nov 21, 2019

Conversation

brimstone
Copy link
Contributor

@brimstone brimstone commented Nov 20, 2019
edited

What: Adds X-Frame-Options and Referrer-Policy security headers to the
satellite console.

Why: There's a bunch of HTTP Headers that secure sites should use. This
PR adds two to the ones already sent.

Please describe the tests: Existing tests.

Please describe the performance impact: Maybe a little bit?

Code Review Checklist (to be filled out by reviewer)

  • NEW: Are there any Satellite database migrations? Are they forwards and backwards compatible?
  • Does the PR describe what changes are being made?
  • Does the PR describe why the changes are being made?
  • Does the code follow our style guide?
  • Does the code follow our testing guide?
  • Is the PR appropriately sized? (If it could be broken into smaller PRs it should be)
  • Does the new code have enough tests? (every PR should have tests or justification otherwise. Bug-fix PRs especially)
  • Does the new code have enough documentation that answers "how do I use it?" and "what does it do?"? (both source documentation and higher level, diagrams?)
  • Does any documentation need updating?
  • Do the database access patterns make sense?

@brimstone brimstone requested a review from a team November 20, 2019 14:02
@cla-bot cla-bot bot added the cla-signed label Nov 20, 2019
@ghost ghost requested review from crawter and Qweder93 and removed request for a team November 20, 2019 14:02
@brimstone brimstone added Request Code Review Code review requested Reviewer Can Merge If all checks have passed, non-owner can merge PR labels Nov 20, 2019
crawter
crawter previously approved these changes Nov 20, 2019
View reviewed changes
thepaul
thepaul previously approved these changes Nov 20, 2019
View reviewed changes
satellite/console/consoleweb/server.go Outdated Show resolved Hide resolved
crawter
crawter previously approved these changes Nov 20, 2019
View reviewed changes
@brimstone brimstone dismissed stale reviews from crawter and thepaul via eaaffed November 21, 2019 14:06
@brimstone brimstone merged commit 976881f into master Nov 21, 2019
@brimstone brimstone deleted the mr/add-security-headers branch November 21, 2019 16:15
bryanchriswhite added a commit that referenced this pull request Nov 25, 2019
@bryanchriswhite
Merge remote-tracking branch 'storj/master' into bryan/installer-testing
2263a15 
* storj/master: (63 commits)
  web/satellite:  token payments logic (#3581)
  satellite/metainfo: reduce pointerDB access for CommitObject (#3589)
  satellite/metainfo: Fix misspelling in comment (#3636)
  argon2: choose a steady parallelism value (#3630)
  satellitedb: add support to testplanet for cockroachdb (#3634)
  satellite/console/auth: return in error handle added (#3639)
  Make sed a little more cross platformable (#3629)
  web: ms edge support bug fixed (#3638)
  web/satellite: registration/welcome message fixed, usage-report url fixed, storj-sim fixed (#3622)
  web/satellite: fonts changed to Inter (#3620)
  storagenode/updater: read identity location from storagenode's config.yaml (#3607)
  cmd/segment-reaper: Implement bitmask type (#3626)
  storagenode/gracefulexit: improve logging (#3633)
  private/testplanet: add a mock referral manager server into testplanet (#3631)
  satellite/gracefulexit: refactor concurrency (#3624)
  pkg/pb/referralmanager: update to add satellite ID to Get Tokens request (#3625)
  satellite/metainfo: improve Loop comments (#3595)
  storagenode: add bandwidth metrics (#3623)
  satellite/console: Add security headers (#3615)
  satellite/payments: token deposit accept cents (#3628)
  ...
bryanchriswhite pushed a commit to bryanchriswhite/storj that referenced this pull request Oct 29, 2020
@bryanchriswhite
satellite/console: Add security headers (storj#3615)
eb5a468 
* satellite/console: Add X-Frame-Options and Referrer-Policy security headers

* Update to use CSP instead of XFO and include tardigrade.io

* Make FrameAncestors a config option

* Update satellite-config lock

* Make help text for FrameAncestors better
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thepaul thepaul thepaul approved these changes

@crawter crawter crawter approved these changes

@Qweder93 Qweder93 Awaiting requested review from Qweder93

@stefanbenten stefanbenten Awaiting requested review from stefanbenten

Assignees
No one assigned
Labels
cla-signed Request Code Review Code review requested Reviewer Can Merge If all checks have passed, non-owner can merge PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@brimstone @thepaul @crawter