Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Harden security response headers for serverless offering #150884

Closed
legrego opened this issue Feb 10, 2023 · 3 comments · Fixed by #158000
Closed

Harden security response headers for serverless offering #150884

legrego opened this issue Feb 10, 2023 · 3 comments · Fixed by #158000
Assignees
@jeramysoucy
Labels
enhancement New value added to drive a business result Feature:Hardening Harding of Kibana from a security perspective Project:Serverless Work as part of the Serverless project for its initial release Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!

Comments

@legrego
Copy link
Member

legrego commented Feb 10, 2023
edited
Loading

Relates: #97348

In #52809 (PR: #97158) we introduced configuration properties for security response headers:

  • server.securityResponseHeaders.strictTransportSecurity, default: null (not enabled) ❌
  • server.securityResponseHeaders.xContentTypeOptions, default: 'nosniff' (enabled) ✅
  • server.securityResponseHeaders.referrerPolicy, default: 'no-referrer-when-downgrade' (enabled) ✅
  • server.securityResponseHeaders.permissionsPolicy, default: null (not enabled) ❔
  • server.securityResponseHeaders.disableEmbedding, default: false (not enabled, embedding is allowed) ❌

Out of these, it would be good to change the default for strictTransportSecurity and disableEmbedding. I propose the following:

  • strictTransportSecurity: max-age 31536000; includeSubDomains
  • disableEmbedding: true
    • This has the potential to break Kibana usage when Kibana is being embedded in other pages -- it would prevent Kibana from functioning when embedded in a different website. We do not yet have usage data to estimate how many users this will impact.

These are notably breaking changes to the existing offering, so these settings should only be applicable in a serverless context. I believe the way to do this is to modify the config settings in config/serverless.yml
@legrego legrego added Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! enhancement New value added to drive a business result Feature:Hardening Harding of Kibana from a security perspective Project:Serverless Work as part of the Serverless project for its initial release labels Feb 10, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@legrego
Copy link
Member Author

legrego commented Feb 10, 2023

Marking as blocked since we need to understand how to make these configuration changes for only the serverless context.

@legrego
Copy link
Member Author

legrego commented May 1, 2023

@clintandrewhall we are interested in setting different defaults for some of our configuration options within the serverless offering. Is the recommended way to do this via the new config/serverless.yml configuration file?

This was referenced May 1, 2023
Closed
Closed
@legrego legrego removed the blocked label May 9, 2023
@jeramysoucy jeramysoucy self-assigned this May 16, 2023
@jeramysoucy jeramysoucy mentioned this issue May 17, 2023
Merged
jeramysoucy added a commit that referenced this issue May 18, 2023
@jeramysoucy
Harden security response headers for serverless offering (#158000)
ba00502 
Closes #150884

## Summary

Adds both strictTransportSecurity and disableEmbedding to the
serverless.yml config file, which sets the defaults for Kibana running
in a serverless configuration. Note that the disabling of embedding is
for the serverless MVP, with a plan to more strategically and explicitly
allow embedding of specific resources in future releases.

- `server.securityResponseHeaders.strictTransportSecurity:
max-age=31536000; includeSubDomains`: Adds the
`strict-transport-security` response header. The browser should remember
that a site, including subdomains, is only to be accessed using HTTPS
for 1 year.
- `server.securityResponseHeaders.disableEmbedding`: true adds the
`X-Frame-Options` response header with a avalue of `SAMEORIGIN` and adds
`frame-ancestors 'self'` to the `content-security-policy` response
header.

Note: if you are running without TLS enabled locally, you can disable
the `strict-transport-security` response header by overriding the
setting in kibana.dev.yml (see Testing step 8 below).

### Testing (locally)
1. Start Elasticearch
3. Start Kibana with `yarn start --serverless`
4. Sign into Kibana and open your browser's dev tools
5. In the network tab, inspect one of the requests for localhost
6. In the Headers tab, verify the above defined headers and values are
present
7. Stop Kibana, and restart normally with `yarn start`
8. Repeat the process in steps 4-6 and verify that the above defined
headers and values are not present
9. Stop Kibana, edit the Kibana.dev.yml file by adding
`server.securityResponseHeaders.strictTransportSecurity: null`
10. Start Kibana with `yarn start --serverless`
11. Repeat the process in steps 4-6 and verify that the headers and
values associated with disableEmbedding are present while the
`strict-transport-security` response header is not present.
delanni pushed a commit to delanni/kibana that referenced this issue May 25, 2023
@jeramysoucy @delanni
Harden security response headers for serverless offering (elastic#158000
0041a4c 
)

Closes elastic#150884

## Summary

Adds both strictTransportSecurity and disableEmbedding to the
serverless.yml config file, which sets the defaults for Kibana running
in a serverless configuration. Note that the disabling of embedding is
for the serverless MVP, with a plan to more strategically and explicitly
allow embedding of specific resources in future releases.

- `server.securityResponseHeaders.strictTransportSecurity:
max-age=31536000; includeSubDomains`: Adds the
`strict-transport-security` response header. The browser should remember
that a site, including subdomains, is only to be accessed using HTTPS
for 1 year.
- `server.securityResponseHeaders.disableEmbedding`: true adds the
`X-Frame-Options` response header with a avalue of `SAMEORIGIN` and adds
`frame-ancestors 'self'` to the `content-security-policy` response
header.

Note: if you are running without TLS enabled locally, you can disable
the `strict-transport-security` response header by overriding the
setting in kibana.dev.yml (see Testing step 8 below).

### Testing (locally)
1. Start Elasticearch
3. Start Kibana with `yarn start --serverless`
4. Sign into Kibana and open your browser's dev tools
5. In the network tab, inspect one of the requests for localhost
6. In the Headers tab, verify the above defined headers and values are
present
7. Stop Kibana, and restart normally with `yarn start`
8. Repeat the process in steps 4-6 and verify that the above defined
headers and values are not present
9. Stop Kibana, edit the Kibana.dev.yml file by adding
`server.securityResponseHeaders.strictTransportSecurity: null`
10. Start Kibana with `yarn start --serverless`
11. Repeat the process in steps 4-6 and verify that the headers and
values associated with disableEmbedding are present while the
`strict-transport-security` response header is not present.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jeramysoucy jeramysoucy

Labels
enhancement New value added to drive a business result Feature:Hardening Harding of Kibana from a security perspective Project:Serverless Work as part of the Serverless project for its initial release Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Harden security response headers for serverless offering jeramysoucy/kibana
3 participants
@legrego @elasticmachine @jeramysoucy