Uploaded image for project: 'Infrastructure'
  1. Infrastructure
  2. INFRA-2998

Missing/Incorrect headers

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: In Progress (View Workflow)
    • Priority: Minor
    • Resolution: Unresolved
    • Component/s: jenkins.io
    • Labels:
      None
    • Similar Issues:

      Description

      Hello there, the Jenkins CERT ML received 3 reports concerning jenkins.io due to missing headers. Nothing important in terms of security but it could be nice if you could add them to prevent similar reports to be sent. It's a waste of time

      Missing header: X-Content-Type-Options in nosniff mode
      Missing header: Content-Security-Policy
      Header to adjust: HSTS has a too low max-age, recommended minimal is 30 days

      Communicated to jenkins-infra on libera

        Attachments

          Activity

          wfollonier Wadeck Follonier created issue -
          dduportal Damien Duportal made changes -
          Field Original Value New Value
          Assignee Damien Duportal [ dduportal ]
          dduportal Damien Duportal made changes -
          Status Open [ 1 ] In Progress [ 3 ]
          Hide
          dduportal Damien Duportal added a comment -

          At first glance, that should be a change in https://github.com/jenkins-infra/charts/blob/master/config/default/jenkinsio.yaml . Checking the ingress annotation for nginx

          Show
          dduportal Damien Duportal added a comment - At first glance, that should be a change in https://github.com/jenkins-infra/charts/blob/master/config/default/jenkinsio.yaml . Checking the ingress annotation for nginx
          Show
          dduportal Damien Duportal added a comment - https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#configuration-snippet
          Hide
          wfollonier Wadeck Follonier added a comment -

          If you can add the https://developer.mozilla.org/fr/docs/Web/HTTP/Headers/X-Frame-Options at the same time, it could be valuable to prevent Clickjacking report (there is no vulnerability, just a problem of reports )

          CSP is complicated, and could be postponed

          Show
          wfollonier Wadeck Follonier added a comment - If you can add the https://developer.mozilla.org/fr/docs/Web/HTTP/Headers/X-Frame-Options at the same time, it could be valuable to prevent Clickjacking report (there is no vulnerability, just a problem of reports ) CSP is complicated, and could be postponed
          dduportal Damien Duportal made changes -
          Rank Ranked higher
          Hide
          wfollonier Wadeck Follonier added a comment - - edited

          FYI we got another report about ClickJacking attack due to missing X-Frame-Options on the CERT mailing list for jenkins.io. (August 11)

          And a previous one on missing "X-Content-Type-Options" on August 1.

          Show
          wfollonier Wadeck Follonier added a comment - - edited FYI we got another report about ClickJacking attack due to missing X-Frame-Options on the CERT mailing list for jenkins.io. (August 11) And a previous one on missing "X-Content-Type-Options" on August 1.
          Hide
          dduportal Damien Duportal added a comment -

          Let's get started with the `X-Content-Type-Options`: https://github.com/jenkins-infra/charts/pull/1247

          Show
          dduportal Damien Duportal added a comment - Let's get started with the `X-Content-Type-Options`: https://github.com/jenkins-infra/charts/pull/1247
          Hide
          dduportal Damien Duportal added a comment -

          For HSTS: https://github.com/jenkins-infra/charts/pull/1403 . I need a torough review as it will, for sure, break things and we'll have to iterate and fine tune

          Show
          dduportal Damien Duportal added a comment - For HSTS: https://github.com/jenkins-infra/charts/pull/1403 . I need a torough review as it will, for sure, break things and we'll have to iterate and fine tune
          Hide
          dduportal Damien Duportal added a comment -

          Wadeck Follonier the content-type options is in production:

          $ date && curl -s -vv  https://jenkins.io 2>&1 | grep -i 'content-type-options'
          Wed Aug 18 16:09:44 CEST 2021
          < x-content-type-options: nosniff
          
          Show
          dduportal Damien Duportal added a comment - Wadeck Follonier the content-type options is in production: $ date && curl -s -vv https: //jenkins.io 2>&1 | grep -i 'content-type-options' Wed Aug 18 16:09:44 CEST 2021 < x-content-type-options: nosniff
          Hide
          dduportal Damien Duportal added a comment -

          Opened a PR for X-Frame-Options: https://github.com/jenkins-infra/charts/pull/1407

          Show
          dduportal Damien Duportal added a comment - Opened a PR for X-Frame-Options: https://github.com/jenkins-infra/charts/pull/1407
          Hide
          dduportal Damien Duportal added a comment -

          And about CSP, that will be the most painful, the PR https://github.com/jenkins-infra/charts/pull/1408 is enabling the "report-only" header for CSP, from there we'll have to iterate and fine tune the policy based on reports

          Show
          dduportal Damien Duportal added a comment - And about CSP, that will be the most painful, the PR https://github.com/jenkins-infra/charts/pull/1408 is enabling the "report-only" header for CSP, from there we'll have to iterate and fine tune the policy based on reports
          Hide
          dduportal Damien Duportal added a comment -

          The header X-Frame-Options is now in production:

          date && curl -s -vv -L  https://jenkins.io 2>&1 | grep -i 'frame-opt'
          Wed Aug 18 20:02:23 CEST 2021
          < x-frame-options: DENY
          
          Show
          dduportal Damien Duportal added a comment - The header X-Frame-Options is now in production: date && curl -s -vv -L https: //jenkins.io 2>&1 | grep -i 'frame-opt' Wed Aug 18 20:02:23 CEST 2021 < x-frame-options: DENY
          Hide
          dduportal Damien Duportal added a comment -

          The 3 settings (X-Frame, X-Content and HSTS) have been applied successfully to both:

          • the ingress controller
          date && curl -s -vv https://52.167.253.43 -o /dev/null -H "Host: www.jenkins.io" -k 2>&1 | grep -i 'x-'
          Thu Aug 19 16:41:03 CEST 2021
          < cache-control: max-age=3600
          < strict-transport-security: max-age=86400; includeSubDomains; preload
          < x-content-type-options: nosniff
          < x-frame-options: DENY
          
          • in Fastly
          date && curl -s -vv https://www.jenkins.io -o /dev/null 2>&1 | grep -i 'x-'
          Thu Aug 19 16:39:58 CEST 2021
          < cache-control: max-age=3600, public
          < x-content-type-options: nosniff
          < x-frame-options: DENY
          < x-served-by: cache-ams21032-AMS
          < x-cache: HIT
          < x-cache-hits: 3
          < x-timer: S1629383999.957492,VS0,VE0
          < strict-transport-security: max-age=86400; includeSubDomains; preload
          
          Show
          dduportal Damien Duportal added a comment - The 3 settings (X-Frame, X-Content and HSTS) have been applied successfully to both: the ingress controller date && curl -s -vv https: //52.167.253.43 -o /dev/ null -H "Host: www.jenkins.io" -k 2>&1 | grep -i 'x-' Thu Aug 19 16:41:03 CEST 2021 < cache-control: max-age=3600 < strict-transport-security: max-age=86400; includeSubDomains; preload < x-content-type-options: nosniff < x-frame-options: DENY in Fastly date && curl -s -vv https: //www.jenkins.io -o /dev/ null 2>&1 | grep -i 'x-' Thu Aug 19 16:39:58 CEST 2021 < cache-control: max-age=3600, public < x-content-type-options: nosniff < x-frame-options: DENY < x-served-by: cache-ams21032-AMS < x-cache: HIT < x-cache-hits: 3 < x-timer: S1629383999.957492,VS0,VE0 < strict-transport-security: max-age=86400; includeSubDomains; preload

            People

            Assignee:
            dduportal Damien Duportal
            Reporter:
            wfollonier Wadeck Follonier
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated: