Re: [pgAdmin][5919] Fix security related issues

Thank you Dave for the suggestion.

Please find the attached updated patch to make HSTS by default disabled and
conditional based on flag.

Regards,
Ganesh Jaybhay

On Mon, Oct 19, 2020 at 5:38 PM Dave Page <dpage(at)pgadmin(dot)org> wrote:

> Hi
>
> On Mon, Oct 19, 2020 at 1:01 PM Ganesh Jaybhay <
> ganesh(dot)jaybhay(at)enterprisedb(dot)com> wrote:
>
>> Hi Hackers,
>>
>> Please find the attached patch to fix the below security issues:
>>
>> - Host Header Injection - Added ALLOWED_HOSTS list to limit host
>> address
>> - Lack of Content Security Policy (CSP) - Added security header
>> - Lack of Protection Mechanisms - HSTS - Added security header
>> - Lack of Cookie Attribute – Secure : Kept as False as secure limits
>> cookies to HTTPS traffic only.
>> - Information Disclosure – Web Server / Development Framework
>> VersionDescription: Kept as hard coded 'Python' instead of exposing
>> wsgi/python/gunicorn version info.
>>
>> Please review and let me know if I have missed anything.
>>
>
> I took a very quick look at this, and one thing that immediately stood out
> is that HSTS should definitely not be enabled by default. That can make
> dev/test/redeploy extremely difficult.
>
> --
> Dave Page
> Blog: http://pgsnake.blogspot.com
> Twitter: @pgsnake
>
> EDB: http://www.enterprisedb.com
>
>