sbp commented on issue #954: URL: https://github.com/apache/tooling-trusted-releases/issues/954#issuecomment-4183514640
> All four blueprints define before_request hooks but none define `after_request` hooks that would add security headers. We set a global `@app.after_request` called `add_security_headers` in `server.py`. In addition, only two of the blueprints define `before_request` hooks. The issue references ASVS 14.3.2: > Verify that the application sets sufficient anti-caching HTTP response header fields (i.e., Cache-Control: no-store) so that sensitive data is not cached in browsers. This criterion applies to sensitive data only. It does not apply to all data. Therefore this issue is really to identify sensitive data served by ATR and ensure that `Cache-Control: no-store` is set. The only routes, by design, that serve sensitive data in ATR are those that set PATs or JWTs: * POST `/tokens/jwt` - serves a JWT, but already has `no-store` set. * GET and POST `/tokens` - serves a PAT. Does not have `no-store` set. * POST `/jwt/create` - serves a JWT. Does not have `no-store` set. So there are two routes that require `no-store`, only. Despite that, we let this through triage into the issues list because we wanted to consider either setting `no-store` always and then not having to always identify secret-bearing routes, or to isolate such routes in a new blueprint. Most of our routes are dynamic enough, and our user base small enough, that we do not have to worry about caching. Therefore setting `no-store` bears minimal performance gain for a small security gain, and we should probably take it. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
