Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

improve examples in README to add common security related headers #583

Open
sbp-bvanb opened this issue Nov 4, 2024 · 6 comments
Open

improve examples in README to add common security related headers #583

sbp-bvanb opened this issue Nov 4, 2024 · 6 comments
Labels
documentation enhancement help wanted

Comments

@sbp-bvanb
Copy link

Something like custom headers: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#custom-headers

By default, the voucher should set some default headers in the response like Referrer-Policy
@bnfinet
Copy link
Member

bnfinet commented Nov 4, 2024
edited
Loading

@sbp-bvanb thanks for the suggestion

Could you expand on this a bit? What's your motivation here? What problem are you trying to solve?

Is this kubernetes specific? Is this CORS specific? You should be able to add custom headers to the http request in NGINX.

@sbp-bvanb
Copy link
Author

sbp-bvanb commented Nov 4, 2024
edited
Loading

A number of default security headers should be present in multiple layers, also on application level like:

		c.Response().Header().Set("Referrer-Policy", "no-referrer")
		c.Response().Header().Set("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload")
		c.Response().Header().Set("X-Content-Type-Options", "nosniff")
		c.Response().Header().Set("X-Frame-Options", "DENY")

Other application like Grafana and ArgoCD do this as well if a request is issued to their services.

@bnfinet
Copy link
Member

bnfinet commented Nov 4, 2024

@sbp-bvanb I'm of the opinion that such headers should be added via NGINX

https://nginx.org/en/docs/http/ngx_http_headers_module.html

There are many security related headers and each have their subtle nuances.
https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html
https://owasp.org/www-project-secure-headers/

I could see improving the documentation to highlight best practices. Would you be interested in developing a PR to make that addition?

@bnfinet bnfinet changed the title Add default headers or make them configurable improve examples in README to add common security related headers Nov 4, 2024
@sbp-bvanb
Copy link
Author

sbp-bvanb commented Nov 4, 2024
edited
Loading

In my opinion it should be resolved in the code as well. In our case we have an AWS ALB and the Nginx-ingress controller cannot configure the headers there. Instead of putting an AWS CloudFront everywhere, it should be resolved in all layers. I am willing to create a code and documentation change the upcoming weeks and create a PR.

@bnfinet
Copy link
Member

bnfinet commented Nov 4, 2024

This shows a method of adding headers to the ingress controller. Is that a workable solution for you?

https://stackoverflow.com/questions/54083179/how-can-i-correctly-setup-custom-headers-with-nginx-ingress#55574720

@sbp-bvanb
Copy link
Author

Yes tried that today, but is not working in conjunction with an AWS ALB.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation enhancement help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bnfinet @sbp-bvanb