Re: [pgAdmin][5919] Fix security related issues - Mailing list pgadmin-hackers

Thank you Dave for the suggestion.

Please find the attached updated patch to make HSTS by default disabled and conditional based on flag.

Regards,

Ganesh Jaybhay

On Mon, Oct 19, 2020 at 5:38 PM Dave Page <dpage@pgadmin.org> wrote:

Hi

On Mon, Oct 19, 2020 at 1:01 PM Ganesh Jaybhay <ganesh.jaybhay@enterprisedb.com> wrote:

Hi Hackers,

Please find the attached patch to fix the below security issues:

• Host Header Injection - Added ALLOWED_HOSTS list to limit host address 
• Lack of Content Security Policy (CSP) - Added security header
• Lack of Protection Mechanisms - HSTS - Added security header
• Lack of Cookie Attribute – Secure : Kept as False as secure limits cookies to HTTPS traffic only.
• Information Disclosure – Web Server / Development Framework VersionDescription: Kept as hard coded 'Python' instead of exposing wsgi/python/gunicorn version info.

Please review and let me know if I have missed anything.

I took a very quick look at this, and one thing that immediately stood out is that HSTS should definitely not be enabled by default. That can make dev/test/redeploy extremely difficult.

 

--

Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EDB: http://www.enterprisedb.com