From 3575957d8b2c79c948566515e629446bc2ec430d Mon Sep 17 00:00:00 2001 From: Mickael E Date: Mon, 14 Jan 2019 10:34:16 -0500 Subject: [PATCH] Allow ETag headers for Journalist Interface ETags are useful to the journalist API to ensure file integrity, and in the future would allow file download resumption. Disabling ETags is a defense against information leakage https://nvd.nist.gov/vuln/detail/CVE-2003-1418. Since inodes are no longer included by Apache by default, since 2.3.14, that Apache only exposes filesize and MTime by default (information readily available on the Journalist interface, that the Journalist Interface is behind ATHS, it should be safe to re-enable ETags on the journalist interface only. --- .../roles/app/templates/sites-available/journalist.conf | 1 - .../staging/app/apache/test_apache_journalist_interface.py | 1 - 2 files changed, 2 deletions(-) diff --git a/install_files/ansible-base/roles/app/templates/sites-available/journalist.conf b/install_files/ansible-base/roles/app/templates/sites-available/journalist.conf index 6dec14bec46..3beeec1418c 100644 --- a/install_files/ansible-base/roles/app/templates/sites-available/journalist.conf +++ b/install_files/ansible-base/roles/app/templates/sites-available/journalist.conf @@ -31,7 +31,6 @@ Header set X-Content-Type-Options: nosniff Header set X-Download-Options: noopen Header set X-Content-Security-Policy: "default-src 'self'" Header set Content-Security-Policy: "default-src 'self'" -Header unset Etag # Limit the max submitted size of requests. LimitRequestBody 524288000 diff --git a/molecule/testinfra/staging/app/apache/test_apache_journalist_interface.py b/molecule/testinfra/staging/app/apache/test_apache_journalist_interface.py index e99eb40ffb9..8edf0b771b1 100644 --- a/molecule/testinfra/staging/app/apache/test_apache_journalist_interface.py +++ b/molecule/testinfra/staging/app/apache/test_apache_journalist_interface.py @@ -16,7 +16,6 @@ "Header set X-Content-Security-Policy: \"default-src 'self'\"", "Header set Content-Security-Policy: \"default-src 'self'\"", 'Header set Referrer-Policy "no-referrer"', - 'Header unset Etag', ]