Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add security response headers #3124

Merged
merged 9 commits into from
Aug 30, 2019
Merged

Add security response headers #3124

merged 9 commits into from
Aug 30, 2019
+40 −4

Conversation

lbeaufort
Copy link
Member

@lbeaufort lbeaufort commented Aug 22, 2019
edited by patphongs
Loading

Summary

Resolves #3069

  • Adds content security policy response headers to every page. See original issue for background information.
  • Add report-uri that sends violation reports to API for now (ran into csrf issues with a Django route)
  • Add CSRF_TRUSTED_ORIGINS setting to address csrf errors

Impacted areas of the application

List general components of the application that this PR will affect:

  • This will impact everything on our website. Need to make sure that there are no loading errors for anything we pull into our site like api calls, scripts, images, fonts, etc.

Screenshots

None, this is pure code

Related PRs

List related PRs against other branches:

branch PR
openFEC/feature/3876-add-response-headers link

How to test

Check each section of the site to make sure that the content security policy is not interfering with anything we're pulling into the site.

  • Homepage
  • Data landing
  • Election search page
  • All datatable pages
  • Candidate profile pages
  • Committee profile pages
  • Election profile pages
  • Wagtail admin (creating new pages, updating pages, saving pages, adding new block components)
  • Wagtail generated pages
  • Legal resource pages

How to test the changes on stage

@codecov-io
Copy link

codecov-io commented Aug 22, 2019
edited
Loading

Codecov Report

❗ No coverage uploaded for pull request base (develop@9aee54b). Click here to learn what that means.
The diff coverage is 100%.

Impacted file tree graph

@@            Coverage Diff             @@
##             develop    #3124   +/-   ##
==========================================
  Coverage           ?   74.67%           
==========================================
  Files              ?      120           
  Lines              ?     7151           
  Branches           ?      633           
==========================================
  Hits               ?     5340           
  Misses             ?     1811           
  Partials           ?        0
Impacted Files Coverage Δ
fec/fec/settings/base.py 87.95% <100%> (ø)
fec/fec/middleware.py 100% <100%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 9aee54b...2cbee26. Read the comment docs.

@lbeaufort lbeaufort force-pushed the feature/add-headers-middleware branch 6 times, most recently from c4968bb to b2accbf Compare August 26, 2019 01:42
@lbeaufort lbeaufort force-pushed the feature/add-headers-middleware branch from b2accbf to 6707353 Compare August 28, 2019 00:22
@lbeaufort lbeaufort force-pushed the feature/add-headers-middleware branch 6 times, most recently from 6018542 to 01b8dd9 Compare August 28, 2019 14:29
@lbeaufort lbeaufort force-pushed the feature/add-headers-middleware branch from 59d8e59 to 0ba47f0 Compare August 28, 2019 23:07
@lbeaufort lbeaufort mentioned this pull request Aug 29, 2019
Closed
10 tasks
@lbeaufort lbeaufort changed the title [WIP] Add security response headers on Django side Add security response headers Aug 29, 2019
@lbeaufort lbeaufort force-pushed the feature/add-headers-middleware branch from c78ba9a to 0ba47f0 Compare August 29, 2019 00:14
@lbeaufort lbeaufort force-pushed the feature/add-headers-middleware branch from 3c7f258 to 2cbee26 Compare August 29, 2019 22:35
patphongs
patphongs approved these changes Aug 30, 2019
View reviewed changes
Copy link
Member

@patphongs patphongs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes look good! I don't see any further errors for the CSP and the cache-control header is now coming through on the app level domain. This was tested on stage. Thanks for your work on this @lbeaufort!

fec-jli
fec-jli approved these changes Aug 30, 2019
View reviewed changes
Copy link
Contributor

@fec-jli fec-jli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is great work.
1)on local cms (point to local api) : play with some CSP directives, work as expected.
run curl command, see CSP and cache-control added.
2)on stage, test most pages. work fine.
3) run scan website “stage.fec.gov" and get A score. (before C)

@pkfec pkfec merged commit e52a343 into develop Aug 30, 2019
@lbeaufort lbeaufort mentioned this pull request Sep 4, 2019
Closed
3 tasks
@lbeaufort lbeaufort deleted the feature/add-headers-middleware branch October 7, 2019 13:46
@lbeaufort lbeaufort mentioned this pull request Oct 29, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@patphongs patphongs patphongs approved these changes

@fec-jli fec-jli fec-jli approved these changes

@pkfec pkfec Awaiting requested review from pkfec

@jason-upchurch jason-upchurch Awaiting requested review from jason-upchurch

Assignees
No one assigned
Labels
Please review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Tenable] CMS missing/inadequate headers (due 8/31/19)
5 participants
@lbeaufort @codecov-io @patphongs @fec-jli @pkfec