ATC not setting necessary security related HTTP headers

[jbarnicle]

In order to be in compliance with best practice security guidelines, ATC should set the following HTTP headers

• X-XSS-Protection: 1; mode=block
• cache-Control: no-cache, no-store, must-revalidate, private
• pragma: no-cache

[concourse-bot]

Hi there!

We use Pivotal Tracker to provide visibility into what our team is working on. A story for this issue has been automatically created.

The current status is as follows:

• #135649613 ATC not setting necessary security related HTTP headers

This comment, as well as the labels on the issue, will be automatically updated as the status in Tracker changes.

[vito]

Got a link to something that documents these as standard and why? Those sound like they'd change user-facing behavior in particular ways (no-cache especially), and shouldn't just be added for the sake of it.

[jbarnicle]

@vito Our particular need stems from a certification requirement being place on our system by NIST. I understand that not everyone would want / need these headers set - so I would amend the issue to state that there should be a configuration point to add response headers.

[cnelson]

Agreed that we shouldn't set the cache control headers for everyone, but X-XSS-Protection: 1; mode=block and X-Content-Type-Options: nosniff (not mentioned in the original request, but important) are useful and shouldn't impact user-facing behavior.

There's a bit more info in the Mozilla Security Guidelines and @jmcarp is having a discussion about adding these headers to Grafana using https://github.com/unrolled/secure in grafana/grafana#6820 which may be a good solution for ATC as well.

[chendrix]

Hi all, this will be fixed and delivered as part of 2.7.1 5b04c1f...3d32529#diff-20bd1a6996c96469214da01b9a7aae78