Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WOR-1824]: Add CSP Header to Swagger Page #502

Merged
merged 5 commits into from
Sep 30, 2024
Merged

[WOR-1824]: Add CSP Header to Swagger Page #502

merged 5 commits into from
Sep 30, 2024

Conversation

kevinmarete
Copy link
Contributor

@kevinmarete kevinmarete commented Sep 28, 2024
edited
Loading

Description:

This PR adds a Content Security Policy (CSP) header to the Landing Zone Service Swagger page to enhance security by reducing the risk of cross-site scripting (XSS) and data injection attacks.

Changes:

  • Added CSP header to the Swagger page response using the most common directives:
    • default-src the default policy for loading javascript, images, CSS, fonts, AJAX requests, etc
    • script-src defines valid sources for javascript files
    • style-src defines valid sources for CSS files
    • img-src defines valid sources for images
    • connect-src defines valid targets for XMLHttpRequest (AJAX), WebSockets, and EventSource.
  • Configured the header to allow necessary resources, using unsafe-inline to enable inline scripts and styles where needed.
  • Updated artifact-actions to v4

Testing:

  • Verified the Swagger page displays correctly with the CSP header.
  • Checked for any security warnings or content issues.
Screenshot 2024-09-27 at 8 15 44 PM

@kevinmarete kevinmarete self-assigned this Sep 28, 2024
@kevinmarete kevinmarete marked this pull request as ready for review September 28, 2024 01:22
@kevinmarete kevinmarete requested review from a team, cahrens, marctalbott, aherbst-broad and sarahgibs and removed request for a team and cahrens September 28, 2024 01:22
@kevinmarete kevinmarete removed the request for review from sarahgibs September 30, 2024 18:28
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@kevinmarete kevinmarete merged commit 888747d into main Sep 30, 2024
21 checks passed
@kevinmarete kevinmarete deleted the km_WOR-1824_csp_header branch September 30, 2024 19:05
@davidangb davidangb mentioned this pull request Oct 2, 2024
Merged
@fboulnois fboulnois mentioned this pull request Dec 5, 2024
Merged
fboulnois added a commit to DataBiosphere/terra-data-catalog that referenced this pull request Dec 5, 2024
@fboulnois
[DT-1022] Add CSP to the Swagger UI using meta tag (#182)
c164c9f 
### Addresses

https://broadworkbench.atlassian.net/browse/DT-1022

### Summary

Similar to
DataBiosphere/terra-landing-zone-service#502 and
DataBiosphere/terra-workspace-data-service#941 ,
adds a Content Security Policy to the Swagger UI using a `meta` tag.

The team decided to use this approach instead of the proxy approach
since catalog currently has no proxy templating which means that we
would either need to modify it for all services or add our own template
for catalog, both of which were deemed high risk and low value,
especially since catalog is likely to be retired in the near future.
Additionally, proxy changes are hard to test, whereas this change was
straightforward to test.

### Testing

Tested with a catalog instance locally, tried endpoints and the login,
no errors were observed in the console. Next, added a CDN delivered
resource, and saw failures relating to that resource in the console.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marctalbott marctalbott marctalbott approved these changes

@aherbst-broad aherbst-broad aherbst-broad approved these changes

Assignees

@kevinmarete kevinmarete

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kevinmarete @marctalbott @aherbst-broad