Re: [pgAdmin][5919] Fix security related issues

Поиск
Список
Период
Сортировка
От Ganesh Jaybhay
Тема Re: [pgAdmin][5919] Fix security related issues
Дата
Msg-id CAK6syAqACY7Ab-HBDB5+0D0xkqMaH0=FM5j5G0yfjZqit4Lp3Q@mail.gmail.com
обсуждение исходный текст
Ответ на Re: [pgAdmin][5919] Fix security related issues  (Dave Page <dpage@pgadmin.org>)
Ответы Re: [pgAdmin][5919] Fix security related issues  (Akshay Joshi <akshay.joshi@enterprisedb.com>)
Список pgadmin-hackers
Дерево обсуждения
Thank you Dave for the suggestion.

Please find the attached updated patch to make HSTS by default disabled and conditional based on flag.

Regards,
Ganesh Jaybhay

On Mon, Oct 19, 2020 at 5:38 PM Dave Page <dpage@pgadmin.org> wrote:
Hi

On Mon, Oct 19, 2020 at 1:01 PM Ganesh Jaybhay <ganesh.jaybhay@enterprisedb.com> wrote:
Hi Hackers,

Please find the attached patch to fix the below security issues:
  • Host Header Injection - Added ALLOWED_HOSTS list to limit host address 
  • Lack of Content Security Policy (CSP) - Added security header
  • Lack of Protection Mechanisms - HSTS - Added security header
  • Lack of Cookie Attribute – Secure : Kept as False as secure limits cookies to HTTPS traffic only.
  • Information Disclosure – Web Server / Development Framework VersionDescription: Kept as hard coded 'Python' instead of exposing wsgi/python/gunicorn version info.
Please review and let me know if I have missed anything.

I took a very quick look at this, and one thing that immediately stood out is that HSTS should definitely not be enabled by default. That can make dev/test/redeploy extremely difficult.
 
--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EDB: http://www.enterprisedb.com

Вложения

В списке pgadmin-hackers по дате отправления:

Предыдущее
От: Dave Page
Дата:
Сообщение: Re: [pgAdmin][5919] Fix security related issues
Следующее
От: Nikhil Mohite
Дата:
Сообщение: Re: [pgAdmin4][RM4232]: Change what is shown by default in tab titles