Project

General

Profile

Cleanup #47341

Feature #47765: mgr/dashboard: security improvements

mgr/dashboard: securing CherryPy

Added by Ernesto Puerta about 3 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Avan Thakkar
Category:
General - Back-end
Target version:
Ceph - v16.0.0
% Done:

100%

Tags:
security
Backport:
nautilus, octopus
Reviewed:
Affected Versions:
Pull request ID:
Tags:
usability, low-hanging-fruit, management, configuration, security, administration, documentation, installation

Description

Ensuring we follow, as much as possible, Cherrypy security guidelines

  • Transmitting data:
    • Use Secure Cookies
  • Rendering pages:
    • Set HttpOnly cookies
    • Set XFrame options
    • Enable XSS Protection
    • Set the Content Security Policy

Subtasks

Cleanup #49243: mgr/dashboard: set XFrame options and Content Security Policy headersResolvedAvan Thakkar

Related issues

Related to Dashboard - Bug #44591: CVE-2020-27839: mgr/dashboard: The ceph dashboard is vulnerable to XSS attacks Resolved

History

#1 Updated by Ernesto Puerta about 3 years ago

  • Parent task set to #47765

#2 Updated by Avan Thakkar almost 3 years ago

  • Status changed from New to In Progress
  • Assignee set to Avan Thakkar

#3 Updated by Avan Thakkar almost 3 years ago

Given we have already achieved setting cookies for auth controller to secure JWT token here https://tracker.ceph.com/issues/44591, my question is should we set the same for all endpoints or just for authentication is enough? Your thoughts @Ernesto Puerta @Alfonso Martínez @Volker Theile

#4 Updated by Avan Thakkar almost 3 years ago

  • Related to Bug #44591: CVE-2020-27839: mgr/dashboard: The ceph dashboard is vulnerable to XSS attacks added

#5 Updated by Avan Thakkar over 2 years ago

  • Status changed from In Progress to Resolved

#6 Updated by Ernesto Puerta over 2 years ago

  • Project changed from mgr to Dashboard
  • Category changed from 146 to General - Back-end

Also available in: Atom PDF