Re: [pgAdmin][5919] Fix security related issues

Thanks, patch applied.

On Mon, Oct 19, 2020 at 7:17 PM Ganesh Jaybhay <
ganesh(dot)jaybhay(at)enterprisedb(dot)com> wrote:

> Thank you Dave for the suggestion.
>
> Please find the attached updated patch to make HSTS by default disabled
> and conditional based on flag.
>
> Regards,
> Ganesh Jaybhay
>
> On Mon, Oct 19, 2020 at 5:38 PM Dave Page <dpage(at)pgadmin(dot)org> wrote:
>
>> Hi
>>
>> On Mon, Oct 19, 2020 at 1:01 PM Ganesh Jaybhay <
>> ganesh(dot)jaybhay(at)enterprisedb(dot)com> wrote:
>>
>>> Hi Hackers,
>>>
>>> Please find the attached patch to fix the below security issues:
>>>
>>> - Host Header Injection - Added ALLOWED_HOSTS list to limit host
>>> address
>>> - Lack of Content Security Policy (CSP) - Added security header
>>> - Lack of Protection Mechanisms - HSTS - Added security header
>>> - Lack of Cookie Attribute – Secure : Kept as False as secure limits
>>> cookies to HTTPS traffic only.
>>> - Information Disclosure – Web Server / Development Framework
>>> VersionDescription: Kept as hard coded 'Python' instead of exposing
>>> wsgi/python/gunicorn version info.
>>>
>>> Please review and let me know if I have missed anything.
>>>
>>
>> I took a very quick look at this, and one thing that immediately stood
>> out is that HSTS should definitely not be enabled by default. That can make
>> dev/test/redeploy extremely difficult.
>>
>> --
>> Dave Page
>> Blog: http://pgsnake.blogspot.com
>> Twitter: @pgsnake
>>
>> EDB: http://www.enterprisedb.com
>>
>>

--
*Thanks & Regards*
*Akshay Joshi*
*pgAdmin Hacker | Sr. Software Architect*
*EDB Postgres <http://edbpostgres.com>*

*Mobile: +91 976-788-8246*