Skip to content

[TTAHUB-3040] Resolve OWASP warnings #2272

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 18 commits into from
Jul 18, 2024
Merged

[TTAHUB-3040] Resolve OWASP warnings #2272

merged 18 commits into from
Jul 18, 2024

Conversation

thewatermethod
Copy link
Collaborator

@thewatermethod thewatermethod commented Jul 16, 2024
edited
Loading

Description of change

Resolve OWASP generated warnings in the CI around the content security policy by adding new configuration and self-hosting a font we previously linked from Google. Also disallowed the "x-powered-by" header to stop easy sniffing of our platform code.

Note that we are currently unable to resolve one medium issue around the style-src CSP. Plotly still injects CSS in an manner considered unsafe. issue, fix awaiting merge

How to test

Confirm that all the "medium" errors are resolved in the dynamic security scan. except for the 1 that cannot be resolved ("style-src contains unsafe-inline"

Confirm that assets are still loaded as expected and the site still functions, etc. This PR is deployed to sandbox for easier testing.

Issue(s)

Checklists

Every PR

  • Meets issue criteria
  • JIRA ticket status updated
  • Code is meaningfully tested
  • Meets accessibility standards (WCAG 2.1 Levels A, AA)
  • API Documentation updated
  • Boundary diagram updated
  • Logical Data Model updated
  • Architectural Decision Records written for major infrastructure decisions
  • UI review complete

Before merge to main

  • OHS demo complete
  • Ready to create production PR

Production Deploy

  • Staging smoke test completed

After merge/deploy

  • Update JIRA ticket status

@thewatermethod thewatermethod marked this pull request as ready for review July 16, 2024 20:41
@thewatermethod thewatermethod merged commit 9e3bab1 into main Jul 18, 2024
@thewatermethod thewatermethod deleted the mb/TTAHUB-3040/owasp branch July 18, 2024 14:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hardwarehuman hardwarehuman Awaiting requested review from hardwarehuman

@kryswisnaskas kryswisnaskas Awaiting requested review from kryswisnaskas

@kcirtapfromspace kcirtapfromspace Awaiting requested review from kcirtapfromspace

@AdamAdHocTeam AdamAdHocTeam Awaiting requested review from AdamAdHocTeam

2 more reviewers

@nvms nvms nvms approved these changes

@GarrettEHill GarrettEHill GarrettEHill approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@thewatermethod @nvms @GarrettEHill