Hi On Mon, Oct 19, 2020 at 1:01 PM Ganesh Jaybhay < ganesh.jayb...@enterprisedb.com> wrote:
> Hi Hackers, > > Please find the attached patch to fix the below security issues: > > - Host Header Injection - Added ALLOWED_HOSTS list to limit host > address > - Lack of Content Security Policy (CSP) - Added security header > - Lack of Protection Mechanisms - HSTS - Added security header > - Lack of Cookie Attribute – Secure : Kept as False as secure limits > cookies to HTTPS traffic only. > - Information Disclosure – Web Server / Development Framework > VersionDescription: Kept as hard coded 'Python' instead of exposing > wsgi/python/gunicorn version info. > > Please review and let me know if I have missed anything. > I took a very quick look at this, and one thing that immediately stood out is that HSTS should definitely not be enabled by default. That can make dev/test/redeploy extremely difficult. -- Dave Page Blog: http://pgsnake.blogspot.com Twitter: @pgsnake EDB: http://www.enterprisedb.com
