Uploaded image for project: 'Infrastructure'
  1. Infrastructure
  2. INFRA-2998

Missing/Incorrect headers

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: In Progress (View Workflow)
    • Priority: Minor
    • Resolution: Unresolved
    • Component/s: jenkins.io
    • Labels:
      None
    • Similar Issues:

      Description

      Hello there, the Jenkins CERT ML received 3 reports concerning jenkins.io due to missing headers. Nothing important in terms of security but it could be nice if you could add them to prevent similar reports to be sent. It's a waste of time

      Missing header: X-Content-Type-Options in nosniff mode
      Missing header: Content-Security-Policy
      Header to adjust: HSTS has a too low max-age, recommended minimal is 30 days

      Communicated to jenkins-infra on libera

        Attachments

          Activity

          Hide
          dduportal Damien Duportal added a comment -

          Wadeck Follonier the content-type options is in production:

          $ date && curl -s -vv  https://jenkins.io 2>&1 | grep -i 'content-type-options'
          Wed Aug 18 16:09:44 CEST 2021
          < x-content-type-options: nosniff
          
          Show
          dduportal Damien Duportal added a comment - Wadeck Follonier the content-type options is in production: $ date && curl -s -vv https: //jenkins.io 2>&1 | grep -i 'content-type-options' Wed Aug 18 16:09:44 CEST 2021 < x-content-type-options: nosniff
          Hide
          dduportal Damien Duportal added a comment -

          Opened a PR for X-Frame-Options: https://github.com/jenkins-infra/charts/pull/1407

          Show
          dduportal Damien Duportal added a comment - Opened a PR for X-Frame-Options: https://github.com/jenkins-infra/charts/pull/1407
          Hide
          dduportal Damien Duportal added a comment -

          And about CSP, that will be the most painful, the PR https://github.com/jenkins-infra/charts/pull/1408 is enabling the "report-only" header for CSP, from there we'll have to iterate and fine tune the policy based on reports

          Show
          dduportal Damien Duportal added a comment - And about CSP, that will be the most painful, the PR https://github.com/jenkins-infra/charts/pull/1408 is enabling the "report-only" header for CSP, from there we'll have to iterate and fine tune the policy based on reports
          Hide
          dduportal Damien Duportal added a comment -

          The header X-Frame-Options is now in production:

          date && curl -s -vv -L  https://jenkins.io 2>&1 | grep -i 'frame-opt'
          Wed Aug 18 20:02:23 CEST 2021
          < x-frame-options: DENY
          
          Show
          dduportal Damien Duportal added a comment - The header X-Frame-Options is now in production: date && curl -s -vv -L https: //jenkins.io 2>&1 | grep -i 'frame-opt' Wed Aug 18 20:02:23 CEST 2021 < x-frame-options: DENY
          Hide
          dduportal Damien Duportal added a comment -

          The 3 settings (X-Frame, X-Content and HSTS) have been applied successfully to both:

          • the ingress controller
          date && curl -s -vv https://52.167.253.43 -o /dev/null -H "Host: www.jenkins.io" -k 2>&1 | grep -i 'x-'
          Thu Aug 19 16:41:03 CEST 2021
          < cache-control: max-age=3600
          < strict-transport-security: max-age=86400; includeSubDomains; preload
          < x-content-type-options: nosniff
          < x-frame-options: DENY
          
          • in Fastly
          date && curl -s -vv https://www.jenkins.io -o /dev/null 2>&1 | grep -i 'x-'
          Thu Aug 19 16:39:58 CEST 2021
          < cache-control: max-age=3600, public
          < x-content-type-options: nosniff
          < x-frame-options: DENY
          < x-served-by: cache-ams21032-AMS
          < x-cache: HIT
          < x-cache-hits: 3
          < x-timer: S1629383999.957492,VS0,VE0
          < strict-transport-security: max-age=86400; includeSubDomains; preload
          
          Show
          dduportal Damien Duportal added a comment - The 3 settings (X-Frame, X-Content and HSTS) have been applied successfully to both: the ingress controller date && curl -s -vv https: //52.167.253.43 -o /dev/ null -H "Host: www.jenkins.io" -k 2>&1 | grep -i 'x-' Thu Aug 19 16:41:03 CEST 2021 < cache-control: max-age=3600 < strict-transport-security: max-age=86400; includeSubDomains; preload < x-content-type-options: nosniff < x-frame-options: DENY in Fastly date && curl -s -vv https: //www.jenkins.io -o /dev/ null 2>&1 | grep -i 'x-' Thu Aug 19 16:39:58 CEST 2021 < cache-control: max-age=3600, public < x-content-type-options: nosniff < x-frame-options: DENY < x-served-by: cache-ams21032-AMS < x-cache: HIT < x-cache-hits: 3 < x-timer: S1629383999.957492,VS0,VE0 < strict-transport-security: max-age=86400; includeSubDomains; preload

            People

            Assignee:
            dduportal Damien Duportal
            Reporter:
            wfollonier Wadeck Follonier
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated: