Add support for HTTP Strict-Transport-Security header #1853
Assignees
Labels
Aspect: Security
Can an unwanted third party affect the stability or look at privileged information?
Component: Omnibus
Involving the omnibus package or its build
Status: Adopted
An issue that is being worked on.
Triage: Confirmed
Indicates and issue has been confirmed as described.
Comments
10 tasks
robbkidd
added
Aspect: Security
|
Can someone guide me on how to add HSTS header in Chef's nginx? |
|
@robbkidd Do you have an idea of when this will be added to Supermarket? This has been flagged as a security violation that I need to remediate immediately. |
|
@bryanmartin-okta (and others interested) with you having bumped the issue, I'm poking at it again. Have you looked at the PR (even in its labeled "WIP" state)? If so, have you formed an opinion about that as a reasonable fix? |
|
And now 3.4.1 was released to stable. https://discourse.chef.io/t/supermarket-3-4-1-released/17973 |
|
My project just deployed this tonight and we see the |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the problem
When a web server is configured to use HTTP Strict-Transport-Security include a
Strict-Transport-Securityresponse header tells the browser to force all requests for that domain to be sent over HTTPS for all future requests up until the header policy exceeds themax-ageexpiration. This provides a improved protection against some web attacks that exploit accessing resources over HTTP.It was discovered by the security team for my customer that this header is not present in the response sent from the on-premise Chef Supermarket to the browser. I also tested the the public supermarket and the header is not present there either. This was considered to be a LOW security finding, so while the need for this fix isn't critical, it seems like it would be a valuable add to the project.
Software Version
Tested and verified in latest release of Chef Supermarket - 3.3.20
Replication Case
supermarket.chef.iodocument from the list of response documents sent from the web serverHeadersview of that document to see the request and response headers. Scroll down to the response headersStrict-Transport-Securityto be in this list. It should be missingStacktrace
``` N/A ```Possible Solution
HSTS is enabled in Rails if the web application is configured to use
force_ssl. In this case since SSL/TLS is managed at the NGinx web server the HSTS header should be added there to the rails nginx configuration.The text was updated successfully, but these errors were encountered: