Harden security response headers for serverless offering #158000
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jeramysoucy
added
Team:Security
|
Pinging @elastic/kibana-security (Team:Security) |
💚 Build Succeeded
Metrics [docs]Unknown metric groupsESLint disabled line counts
Total ESLint disabled count
History
To update your PR or re-run it, just comment with: cc @jeramysoucy |
thomheymann
approved these changes
May 18, 2023
delanni
pushed a commit
to delanni/kibana
that referenced
this pull request
May 25, 2023
) Closes elastic#150884 ## Summary Adds both strictTransportSecurity and disableEmbedding to the serverless.yml config file, which sets the defaults for Kibana running in a serverless configuration. Note that the disabling of embedding is for the serverless MVP, with a plan to more strategically and explicitly allow embedding of specific resources in future releases. - `server.securityResponseHeaders.strictTransportSecurity: max-age=31536000; includeSubDomains`: Adds the `strict-transport-security` response header. The browser should remember that a site, including subdomains, is only to be accessed using HTTPS for 1 year. - `server.securityResponseHeaders.disableEmbedding`: true adds the `X-Frame-Options` response header with a avalue of `SAMEORIGIN` and adds `frame-ancestors 'self'` to the `content-security-policy` response header. Note: if you are running without TLS enabled locally, you can disable the `strict-transport-security` response header by overriding the setting in kibana.dev.yml (see Testing step 8 below). ### Testing (locally) 1. Start Elasticearch 3. Start Kibana with `yarn start --serverless` 4. Sign into Kibana and open your browser's dev tools 5. In the network tab, inspect one of the requests for localhost 6. In the Headers tab, verify the above defined headers and values are present 7. Stop Kibana, and restart normally with `yarn start` 8. Repeat the process in steps 4-6 and verify that the above defined headers and values are not present 9. Stop Kibana, edit the Kibana.dev.yml file by adding `server.securityResponseHeaders.strictTransportSecurity: null` 10. Start Kibana with `yarn start --serverless` 11. Repeat the process in steps 4-6 and verify that the headers and values associated with disableEmbedding are present while the `strict-transport-security` response header is not present.
jeramysoucy
added
the
Feature:Hardening
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes #150884
Summary
Adds both strictTransportSecurity and disableEmbedding to the serverless.yml config file, which sets the defaults for Kibana running in a serverless configuration. Note that the disabling of embedding is for the serverless MVP, with a plan to more strategically and explicitly allow embedding of specific resources in future releases.
server.securityResponseHeaders.strictTransportSecurity: max-age=31536000; includeSubDomains: Adds thestrict-transport-securityresponse header. The browser should remember that a site, including subdomains, is only to be accessed using HTTPS for 1 year.server.securityResponseHeaders.disableEmbedding: true adds theX-Frame-Optionsresponse header with a avalue ofSAMEORIGINand addsframe-ancestors 'self'to thecontent-security-policyresponse header.Note: if you are running without TLS enabled locally, you can disable the
strict-transport-securityresponse header by overriding the setting in kibana.dev.yml (see Testing step 8 below).Testing (locally)
yarn start --serverlessyarn startserver.securityResponseHeaders.strictTransportSecurity: nullyarn start --serverlessstrict-transport-securityresponse header is not present.