search

DataBiosphere / data-browser

Apache License 2.0
11 stars 4 forks source link

Review and remediate June 3rd vulnerability scanning report #2622

Closed MillenniumFalconMechanic closed 2 years ago

MillenniumFalconMechanic commented 2 years ago

From @danielsotirhos in DataBiosphere/azul#4239:

There were 9 issues identified for https://dev.singlecell.gi.ucsc.edu/explore/ The same 9 issues and 4 others were identified for https://dev.singlecell.gi.ucsc.edu/ The 4 issues unique to https://dev.singlecell.gi.ucsc.edu/ (5, 6, 12, & 13) are marked with a [*]

  1. HTTP Strict Transport Security (HSTS) Errors and Warnings

    • Level: Medium
    • To be fixed by Clever Canary

  2. Cookie Not Marked as HttpOnly

    • Level: Low
    • To be fixed by Clever Canary

  3. Cookie Not Marked as Secure

    • Level: Low
    • To be fixed by Clever Canary

  4. Insecure Frame (External

  5. Misconfigured Access-Control-Allow-Origin Header [*]

    • Level: Low
    • If this
    • Wont fix, page is intended to be accessible to everyone (e.g. dev deployments, external api callers)

  6. Passive Mixed Content over HTTPS [*]

    • Level: Low
    • To be fixed by Clever Canary

  7. Content Security Policy (CSP) NotImplemented

    • Level: Best Practice
    • To be investigated by Clever Canary

  8. Expect-CT Not Enabled

    • Level: Best Practice
    • To be investigated by Clevar Canary

  9. SameSite Cookie Not Implemented

    • Level: Best Practice
    • To be investigated by Clevar Canary

  10. Subresource Integrity (SRI) NotImplemented

    • Level: Best Practice
    • To be investigated by Clever Canary

  11. Cross-site Referrer Leakage through usage of strict-origin-when-cross-origin in Referrer-Policy

    • Level: Best Practice
    • To be investigated by Clever Canary

  12. Email Address Disclosure [*]

    • Level: Information
    • Won't fix, desired behavior.

  13. Generic Email Address Disclosure [*]

    • Level: Information
    • Won't fix, desired behavior.
NoopDog commented 2 years ago

Superseded by https://github.com/DataBiosphere/data-browser/issues/2709

nolunwa-ucsc commented 1 year ago

@theathorn @NoopDog is there a ticket for the following findings

HTTP Strict Transport Security (HSTS) Errors and Warnings

Level: Medium To be fixed by Clever Canary Cookie Not Marked as HttpOnly

Level: Low To be fixed by Clever Canary Cookie Not Marked as Secure

Level: Low To be fixed by Clever Canary

Passive Mixed Content over HTTPS [*]

Level: Low To be fixed by Clever Canary

theathorn commented 1 year ago

Superseded by #2789.