Re: X-Content-Type-Options and strict-transport-security
> On 3. Jul 2020, at 08:53, Sebastien wrote: > > Given that CouchDB exposes its functionality over HTTP through a RESTful > API, IMHO it should allow to define such important http headers for > security directly. This is a fair point and a patch/PR to that effect is going to be uncontroversial. > Only being able to rely on additional infrastructure to secure the system > is problematic. Indeed many production deployments will have such > infrastructure in place, but it will not always be the case. Even if it is, > then it would also require mTLS to ensure a good level of security. > Moreover, SSL termination is indeed one way, but it's based on the "old > way", considering internal traffic as trusted, which is not in line with > current security practices. Defense in depth also considers internal > traffic as requiring secure communications. CouchDB does support native TLS. Best Jan — > > kr, > Sébastien > > On Thu, Jul 2, 2020 at 7:17 PM Joan Touzet wrote: > >> Best option: use a reverse proxy like haproxy or nginx to inject these. >> You can also terminate SSL at this layer for better SSL support and >> performance. >> >> -Joan >> >> On 02/07/2020 05:01, Mody, Darshan Arvindkumar (Darshan) wrote: >>> Hi >>> >>> In our project we would like to set the header X-Content-Type-Options >> and strict-transport-security whenever CouchDB responds to an request >>> >>> How can we set the headers? >>> >>> Thanks in advance >>> >>> Regards >>> Darshan >>> >>
Re: X-Content-Type-Options and strict-transport-security
Given that CouchDB exposes its functionality over HTTP through a RESTful API, IMHO it should allow to define such important http headers for security directly. Only being able to rely on additional infrastructure to secure the system is problematic. Indeed many production deployments will have such infrastructure in place, but it will not always be the case. Even if it is, then it would also require mTLS to ensure a good level of security. Moreover, SSL termination is indeed one way, but it's based on the "old way", considering internal traffic as trusted, which is not in line with current security practices. Defense in depth also considers internal traffic as requiring secure communications. kr, Sébastien On Thu, Jul 2, 2020 at 7:17 PM Joan Touzet wrote: > Best option: use a reverse proxy like haproxy or nginx to inject these. > You can also terminate SSL at this layer for better SSL support and > performance. > > -Joan > > On 02/07/2020 05:01, Mody, Darshan Arvindkumar (Darshan) wrote: > > Hi > > > > In our project we would like to set the header X-Content-Type-Options > and strict-transport-security whenever CouchDB responds to an request > > > > How can we set the headers? > > > > Thanks in advance > > > > Regards > > Darshan > > >
Re: X-Content-Type-Options and strict-transport-security
Yes, it all depends on your definition of “long term” in your project in relation to your estimation of the arrival of 4.0 j:) > On 3 Jul 2020, at 08:29, Mody, Darshan Arvindkumar (Darshan) > wrote: > > Thanks but the function list are marked deprecated so it would not be long > term solution > > Thanks > Darshan > > -Original Message- > From: Johs Ensby > Sent: Friday, July 3, 2020 11:58 AM > To: user@couchdb.apache.org > Subject: Re: X-Content-Type-Options and strict-transport-security > > Hi Darshan, > I haven’t tried this header, but you should be able to incude it in the > "start" from a design document list function > https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.couchdb.org_en_stable_ddocs_ddocs.html-23list-2Dfunctions=DwIFaQ=y9ER7-XqJ9hjToafeR_J2A=S5XCSUlKVMQnuk_7mcQPRb60k2jCtEkdUnBdEKc48sQ=1jvYNfegFGWY8D2DSlzSvrgGYaDBLzKbWJpIkhDo_vc=UHloQxGYL_Qeobx4x_hjfZw1XC-JCs4KJ_0ube8Juy4= > by adding another property to the headers object: > > start({ > 'headers': { > 'Content-Type': 'text/html’ > } > }); > > > Johs >> On 2 Jul 2020, at 19:16, Joan Touzet wrote: >> >> Best option: use a reverse proxy like haproxy or nginx to inject these. You >> can also terminate SSL at this layer for better SSL support and performance. >> >> -Joan >> >> On 02/07/2020 05:01, Mody, Darshan Arvindkumar (Darshan) wrote: >>> Hi >>> In our project we would like to set the header X-Content-Type-Options >>> and strict-transport-security whenever CouchDB responds to an request How >>> can we set the headers? >>> Thanks in advance >>> Regards >>> Darshan > ……… Johannes Ensby Business to Web AS Tollbugata 8, N- 0152 Oslo, Norway +47 611 00 006 (mobile) +47 611 00 700 (switchboard) j...@b2w.com www.linkedin.com/in/ensby www.b2w.com
RE: X-Content-Type-Options and strict-transport-security
Thanks but the function list are marked deprecated so it would not be long term solution Thanks Darshan -Original Message- From: Johs Ensby Sent: Friday, July 3, 2020 11:58 AM To: user@couchdb.apache.org Subject: Re: X-Content-Type-Options and strict-transport-security Hi Darshan, I haven’t tried this header, but you should be able to incude it in the "start" from a design document list function https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.couchdb.org_en_stable_ddocs_ddocs.html-23list-2Dfunctions=DwIFaQ=y9ER7-XqJ9hjToafeR_J2A=S5XCSUlKVMQnuk_7mcQPRb60k2jCtEkdUnBdEKc48sQ=1jvYNfegFGWY8D2DSlzSvrgGYaDBLzKbWJpIkhDo_vc=UHloQxGYL_Qeobx4x_hjfZw1XC-JCs4KJ_0ube8Juy4= by adding another property to the headers object: start({ 'headers': { 'Content-Type': 'text/html’ } }); Johs > On 2 Jul 2020, at 19:16, Joan Touzet wrote: > > Best option: use a reverse proxy like haproxy or nginx to inject these. You > can also terminate SSL at this layer for better SSL support and performance. > > -Joan > > On 02/07/2020 05:01, Mody, Darshan Arvindkumar (Darshan) wrote: >> Hi >> In our project we would like to set the header X-Content-Type-Options >> and strict-transport-security whenever CouchDB responds to an request How >> can we set the headers? >> Thanks in advance >> Regards >> Darshan
Re: X-Content-Type-Options and strict-transport-security
Hi Darshan, I haven’t tried this header, but you should be able to incude it in the "start" from a design document list function https://docs.couchdb.org/en/stable/ddocs/ddocs.html#list-functions by adding another property to the headers object: start({ 'headers': { 'Content-Type': 'text/html’ } }); Johs > On 2 Jul 2020, at 19:16, Joan Touzet wrote: > > Best option: use a reverse proxy like haproxy or nginx to inject these. You > can also terminate SSL at this layer for better SSL support and performance. > > -Joan > > On 02/07/2020 05:01, Mody, Darshan Arvindkumar (Darshan) wrote: >> Hi >> In our project we would like to set the header X-Content-Type-Options and >> strict-transport-security whenever CouchDB responds to an request >> How can we set the headers? >> Thanks in advance >> Regards >> Darshan
Re: X-Content-Type-Options and strict-transport-security
Best option: use a reverse proxy like haproxy or nginx to inject these. You can also terminate SSL at this layer for better SSL support and performance. -Joan On 02/07/2020 05:01, Mody, Darshan Arvindkumar (Darshan) wrote: Hi In our project we would like to set the header X-Content-Type-Options and strict-transport-security whenever CouchDB responds to an request How can we set the headers? Thanks in advance Regards Darshan
X-Content-Type-Options and strict-transport-security
Hi In our project we would like to set the header X-Content-Type-Options and strict-transport-security whenever CouchDB responds to an request How can we set the headers? Thanks in advance Regards Darshan