Re: [pgAdmin][5919] Fix security related issues

Поиск
Список
Период
Сортировка
От Dave Page
Тема Re: [pgAdmin][5919] Fix security related issues
Дата
Msg-id CA+OCxowZ1XrTtZ2Caz0nRuNX5T8zQ3YbyJV5RDs80_v=f5m-Xg@mail.gmail.com
обсуждение исходный текст
Ответ на [pgAdmin][5919] Fix security related issues  (Ganesh Jaybhay <ganesh.jaybhay@enterprisedb.com>)
Ответы Re: [pgAdmin][5919] Fix security related issues
Список pgadmin-hackers
Дерево обсуждения
Hi

On Mon, Oct 19, 2020 at 1:01 PM Ganesh Jaybhay <ganesh.jaybhay@enterprisedb.com> wrote:
Hi Hackers,

Please find the attached patch to fix the below security issues:
  • Host Header Injection - Added ALLOWED_HOSTS list to limit host address 
  • Lack of Content Security Policy (CSP) - Added security header
  • Lack of Protection Mechanisms - HSTS - Added security header
  • Lack of Cookie Attribute – Secure : Kept as False as secure limits cookies to HTTPS traffic only.
  • Information Disclosure – Web Server / Development Framework VersionDescription: Kept as hard coded 'Python' instead of exposing wsgi/python/gunicorn version info.
Please review and let me know if I have missed anything.

I took a very quick look at this, and one thing that immediately stood out is that HSTS should definitely not be enabled by default. That can make dev/test/redeploy extremely difficult.
 
--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EDB: http://www.enterprisedb.com

В списке pgadmin-hackers по дате отправления: