Actions
Cleanup #47341
closedFeature #47765: mgr/dashboard: security improvements
mgr/dashboard: securing CherryPy
Status:
Resolved
Priority:
Normal
Assignee:
Category:
General - Back-end
Target version:
% Done:
100%
Tags:
security
Backport:
nautilus, octopus
Reviewed:
Affected Versions:
Pull request ID:
Description
Ensuring we follow, as much as possible, Cherrypy security guidelines
- Transmitting data:
- Use Secure Cookies
- Rendering pages:
- Set HttpOnly cookies
- Set XFrame options
- Enable XSS Protection
- Set the Content Security Policy
Updated by Avan Thakkar over 3 years ago
- Status changed from New to In Progress
- Assignee set to Avan Thakkar
Updated by Avan Thakkar over 3 years ago
Given we have already achieved setting cookies for auth controller to secure JWT token here https://tracker.ceph.com/issues/44591, my question is should we set the same for all endpoints or just for authentication is enough? Your thoughts @Ernesto Puerta @Alfonso MartÃnez @Volker Theile
Updated by Avan Thakkar over 3 years ago
- Related to Bug #44591: CVE-2020-27839: mgr/dashboard: The ceph dashboard is vulnerable to XSS attacks added
Updated by Avan Thakkar about 3 years ago
- Status changed from In Progress to Resolved
Updated by Ernesto Puerta about 3 years ago
- Project changed from mgr to Dashboard
- Category changed from 146 to General - Back-end
Actions