Cleanup #47341
Feature #47765: mgr/dashboard: security improvements
mgr/dashboard: securing CherryPy
Status:
Resolved
Priority:
Normal
Assignee:
Category:
General - Back-end
Target version:
% Done:
100%
Tags:
security
Backport:
nautilus, octopus
Reviewed:
Affected Versions:
Pull request ID:
Description
Ensuring we follow, as much as possible, Cherrypy security guidelines
- Transmitting data:
- Use Secure Cookies
- Rendering pages:
- Set HttpOnly cookies
- Set XFrame options
- Enable XSS Protection
- Set the Content Security Policy
Subtasks
Related issues
History
#1 Updated by Ernesto Puerta about 3 years ago
- Parent task set to #47765
#2 Updated by Avan Thakkar almost 3 years ago
- Status changed from New to In Progress
- Assignee set to Avan Thakkar
#3 Updated by Avan Thakkar almost 3 years ago
Given we have already achieved setting cookies for auth controller to secure JWT token here https://tracker.ceph.com/issues/44591, my question is should we set the same for all endpoints or just for authentication is enough? Your thoughts @Ernesto Puerta @Alfonso MartÃnez @Volker Theile
#4 Updated by Avan Thakkar almost 3 years ago
- Related to Bug #44591: CVE-2020-27839: mgr/dashboard: The ceph dashboard is vulnerable to XSS attacks added
#5 Updated by Avan Thakkar over 2 years ago
- Status changed from In Progress to Resolved
#6 Updated by Ernesto Puerta over 2 years ago
- Project changed from mgr to Dashboard
- Category changed from 146 to General - Back-end