Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Task]: Enable HTTPs Redirect for API #961

Closed
1 task
acouch opened this issue Jan 3, 2024 · 5 comments
Closed
1 task

[Task]: Enable HTTPs Redirect for API #961

acouch opened this issue Jan 3, 2024 · 5 comments
Labels
project: grants.gov Grants.gov Modernization tickets security: scans - medium security: scans

Comments

@acouch
Copy link
Collaborator

acouch commented Jan 3, 2024
edited
Loading

Summary

This might be close once we implement #906.

NIST-800 53 requires Application Load Balancer should be configured to redirect all HTTP requests to HTTPS. The current API in dev does not have HTTPS enabled.

Acceptance criteria

  • ELB.1 check passes
@acouch acouch added the project: grants.gov Grants.gov Modernization tickets label Jan 3, 2024
@acouch acouch moved this from Icebox to Blocked in Simpler.Grants.gov Product Backlog Jan 3, 2024
@coilysiren
Copy link
Collaborator

I'm +1 on letting this wait until we get the proper API URLs, eg. #906

@coilysiren
Copy link
Collaborator

POAM:

  • add "no index" and related functionality to our dev build, so the general public doesn't stumble onto our dev site link
  • add a DNS CNAME that points to our dev load balancers, like beta.grants.gov used to
  • configure TLS for that dev site, either a CA cert or a self signed one
  • configure the load balancer to redirect HTTP to HTTPS

@coilysiren coilysiren mentioned this issue Jan 16, 2024
Open
2 tasks
@sumiat sumiat modified the milestones: Security - Control implementations, Security - Future work Feb 1, 2024
@coilysiren
Copy link
Collaborator

This is blocked because we need a HTTPS URL to redirect to.

@coilysiren
Copy link
Collaborator

Blocked by #906

@acouch
Copy link
Collaborator Author

acouch commented Mar 19, 2024

This is done:

$curl http://api.simpler.grants.gov/ -I
HTTP/1.1 301 Moved Permanently
Server: awselb/2.0
Date: Tue, 19 Mar 2024 18:22:21 GMT
Content-Type: text/html
Content-Length: 134
Connection: keep-alive
Location: https://api.simpler.grants.gov:443/

@acouch acouch closed this as completed Mar 19, 2024
@acouch acouch removed the refinement label Mar 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
project: grants.gov Grants.gov Modernization tickets security: scans - medium security: scans
Projects
Simpler.Grants.gov Product Backlog
Archived in project
Milestone
No milestone
Development

No branches or pull requests
3 participants
@acouch @coilysiren @sumiat