[WIP] Implement secure_headers gem #282
Conversation
jgarber623-gov
requested review from
aileendds,
hlieberman-gov and
jamesatheyDDS
.ebextensions/nginx.config
Outdated
|
|
||
| # HSTS (HTTP Strict Transport Security) | ||
| # This header tells browsers to cache the certificate for six months and to connect exclusively via HTTPS. | ||
| add_header Strict-Transport-Security "max-age=15768000" always; |
There was a problem hiding this comment.
I'm not sure if we'd want to move some of these headers into the location blocks covering assets and/or error pages.
@hlieberman-gov What's your take?
|
|
||
| # Disable ActionDispatch's default headers (these are handled by nginx) | ||
| config.action_dispatch.default_headers = {} | ||
|
|
There was a problem hiding this comment.
No need for this anymore…
| config.action_dispatch.default_headers.merge!( | ||
| 'X-UA-Compatible' => 'IE=Edge' | ||
| ) | ||
| end |
There was a problem hiding this comment.
secure_headers doesn't cover this IE-specific header, so adding this initializer here and merging it with Action Dispatch's default headers.
| config.hsts = 'max-age=15768000' | ||
| config.referrer_policy = %w[origin-when-cross-origin strict-origin-when-cross-origin] | ||
| config.x_content_type_options = 'nosniff' | ||
| config.x_download_options = 'noopen' |
There was a problem hiding this comment.
This one's new to me, but interesting: https://msdn.microsoft.com/library/jj542450(v=vs.85).aspx
| } | ||
|
|
||
| config.hsts = 'max-age=15768000' | ||
| config.referrer_policy = %w[origin-when-cross-origin strict-origin-when-cross-origin] |
There was a problem hiding this comment.
I wasn't familiar with the Referrer Policy spec, but I like it.
| config.x_content_type_options = 'nosniff' | ||
| config.x_download_options = 'noopen' | ||
| config.x_frame_options = 'deny' | ||
| config.x_permitted_cross_domain_policies = 'none' |
There was a problem hiding this comment.
.ebextensions/nginx.config
Outdated
| # you can tell the browser that it can only download content from the domains you explicitly allow | ||
| # CSP can be quite difficult to configure, and cause real issues if you get it wrong | ||
| # There is website that helps you generate a policy here http://cspisawesome.com/ | ||
| add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://dap.digitalgov.gov https://www.google-analytics.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://www.google-analytics.com *.tile.openstreetmap.org; frame-ancestors 'none'; frame-src https://www.youtube.com;" always; |
There was a problem hiding this comment.
We only need to make sure this CSP header is delivered on root requests. For the error pages in particular, as well as any other directly delivered HTML, we should add one in.
|
|
||
| # MIME type sniffing security protection | ||
| # There are very few edge cases where you wouldn't want this enabled. | ||
| add_header X-Content-Type-Options nosniff always; |
There was a problem hiding this comment.
Yeah, we want this one delivered on static content.
|
|
||
| # The X-Frame-Options header indicates whether a browser should be allowed | ||
| # to render a page within a frame or iframe. | ||
| add_header X-Frame-Options SAMEORIGIN always; |
There was a problem hiding this comment.
Do we ever iframe this page internally? Might be worth changing to DENY; either way, we should preserve this on static content.
|
|
||
| # The X-XSS-Protection header is used by Internet Explorer version 8+ | ||
| # The header instructs IE to enable its inbuilt anti-cross-site scripting filter. | ||
| add_header X-XSS-Protection "1; mode=block" always; |
There was a problem hiding this comment.
Meh. If we can, great, otherwise, don't sweat it.
.ebextensions/nginx.config
Outdated
|
|
||
| # HSTS (HTTP Strict Transport Security) | ||
| # This header tells browsers to cache the certificate for six months and to connect exclusively via HTTPS. | ||
| add_header Strict-Transport-Security "max-age=15768000" always; |
There was a problem hiding this comment.
HSTS we should pass on all requests, but it's not the end of the world if we don't do it for the static content, especially if we're planning on preloading.
| style_src: %w['self' 'unsafe-inline'] | ||
| } | ||
|
|
||
| config.hsts = 'max-age=15768000' |
There was a problem hiding this comment.
Should bump to max-age=63072000; includeSubDomains; preload
jgarber623-gov
force-pushed
the
secure-headers
branch
from
9fa7215 to
31250ff
Compare
jgarber623-gov
force-pushed
the
secure-headers
branch
from
31250ff to
6043a35
Compare
jgarber623-gov
force-pushed
the
secure-headers
branch
from
a5e411a to
f2b9a15
Compare
jgarber623-gov
force-pushed
the
secure-headers
branch
from
f2b9a15 to
d74bcf0
Compare
jgarber623-gov
force-pushed
the
secure-headers
branch
from
d74bcf0 to
3c77beb
Compare
jgarber623-gov
force-pushed
the
secure-headers
branch
from
3c77beb to
cf8b518
Compare
jgarber623-gov
force-pushed
the
secure-headers
branch
from
cf8b518 to
39a7f41
Compare
jgarber623-gov
force-pushed
the
secure-headers
branch
from
39a7f41 to
65c8c18
Compare
jgarber623-gov
force-pushed
the
secure-headers
branch
from
65c8c18 to
f55eb67
Compare
jgarber623-gov
changed the title
jgarber623-gov
force-pushed
the
secure-headers
branch
from
f55eb67 to
ef8d8f9
Compare
Checklist
I have…
bin/rails server) and verified that my changes behave as expected.bin/rubocop) and vulnerability scan (bin/brakeman) against my changes.bin/rake spec) and verified that all tests pass.Summary of Changes
This pull request adds Twitter's secure_headers gem to the project and uses its features to implement more-secure HTTP response headers (e.g.
X-Frame-Options,Content-Security-Policy) for routes served by the Rails app.The move to do this was prompted by a conversation with @jobertabma at HackerOne. He noted the remote possibility of an attacker compromising a developer machine and taking advantage of our previous decision to offload header-setting to nginx instead of Rails/Action Dispatch.
Testing
To verify the changes proposed in this pull request…
git checkout secure-headers,CONTRIBUTING.md,bin/rails server,