Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dashboard: Allow User to specify http security headers that should be used #6089

Open
r-heimann opened this issue Dec 12, 2024 · 0 comments
Open

Dashboard: Allow User to specify http security headers that should be used #6089

r-heimann opened this issue Dec 12, 2024 · 0 comments
Labels
area/security Belongs to security type/enhancement Is an enhancement request

Comments

@r-heimann
Copy link

Problem description:
Right now the Spring Cloud Data Flow does not send important HTTP security headers to a client, such as

  • x-content-type-options = nosniff
  • x-frame-options = DENY
  • x-xss-protection = "1; mode=block"
  • strict-transport-security = "max-age=31536000; includeSubDomains"
  • content-security-policy = "default-src 'self'"
  • referrer-policy = no-referrer

Solution description:
Maybe a simple application property, which allows you to activate/declare them would be awesome. Example:

/bin/java -jar spring-cloud-dataflow-server.jar --security.headers.x-content-type-options=nosniff \
                                                --security.headers.x-frame-options=DENY \
                                                --security.headers.x-xss-protection="1; mode=block" \
                                                --security.headers.strict-transport-security="max-age=31536000; includeSubDomains" \
                                                --security.headers.content-security-policy="default-src 'self'" \
                                                --security.headers.referrer-policy=no-referrer

Description of alternatives:
An alternative would be that Spring Cloud Data Flow would have these security headers enabled by default, once an SSL configuration is used.

Additional context:
-
@github-actions github-actions bot added the status/need-triage Team needs to triage and take a first look label Dec 12, 2024
@cppwfs cppwfs added type/enhancement Is an enhancement request area/security Belongs to security and removed status/need-triage Team needs to triage and take a first look labels Dec 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/security Belongs to security type/enhancement Is an enhancement request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cppwfs @r-heimann