Thanks, patch applied. On Mon, Oct 19, 2020 at 7:17 PM Ganesh Jaybhay < ganesh.jayb...@enterprisedb.com> wrote:
> Thank you Dave for the suggestion. > > Please find the attached updated patch to make HSTS by default disabled > and conditional based on flag. > > Regards, > Ganesh Jaybhay > > On Mon, Oct 19, 2020 at 5:38 PM Dave Page <dp...@pgadmin.org> wrote: > >> Hi >> >> On Mon, Oct 19, 2020 at 1:01 PM Ganesh Jaybhay < >> ganesh.jayb...@enterprisedb.com> wrote: >> >>> Hi Hackers, >>> >>> Please find the attached patch to fix the below security issues: >>> >>> - Host Header Injection - Added ALLOWED_HOSTS list to limit host >>> address >>> - Lack of Content Security Policy (CSP) - Added security header >>> - Lack of Protection Mechanisms - HSTS - Added security header >>> - Lack of Cookie Attribute – Secure : Kept as False as secure limits >>> cookies to HTTPS traffic only. >>> - Information Disclosure – Web Server / Development Framework >>> VersionDescription: Kept as hard coded 'Python' instead of exposing >>> wsgi/python/gunicorn version info. >>> >>> Please review and let me know if I have missed anything. >>> >> >> I took a very quick look at this, and one thing that immediately stood >> out is that HSTS should definitely not be enabled by default. That can make >> dev/test/redeploy extremely difficult. >> >> -- >> Dave Page >> Blog: http://pgsnake.blogspot.com >> Twitter: @pgsnake >> >> EDB: http://www.enterprisedb.com >> >> -- *Thanks & Regards* *Akshay Joshi* *pgAdmin Hacker | Sr. Software Architect* *EDB Postgres <http://edbpostgres.com>* *Mobile: +91 976-788-8246*
