search

GeekInTheNorth / Stott.Security.Optimizely

A CMS Administration interface for managing security headers for Optimizely CMS Traditional and Hybrid builds.
MIT License
4 stars 1 forks source link

Possibility to add custom report url #184

Closed breizh22 closed 7 months ago

breizh22 commented 8 months ago

It would be good to be able to add own report url, it's almost a security issue since you fill up the database.

GeekInTheNorth commented 8 months ago

Hello @breizh22,

The violation table does not contain a record per violation as this would indeed fill up the database table and cause performance issues. Instead it contains a unique entry per directive and source only, this record has a "last violated" date and a count. Any combination of directive and source that hasn't been violated in the last 30 days is deleted by a scheduled job.

It is also possible to supply a different database connection string if you want the module to have it's data separate to the CMS.

services.AddCspManager(cspSetupOptions =>
{
    cspSetupOptions.ConnectionStringName = "EPiServerDB";
},
authorizationOptions => 
{
    authorizationOptions.AddPolicy(CspConstants.AuthorizationPolicy, policy =>
    {
        policy.RequireRole("WebAdmins");
    });
});

I can look at options around the provision of a separate reporting URL as well as the ability to disable them entirely. Functions such as the Agency Allow List and the violation report screen are however dependant on data being reported back to the module.

Regards, Mark

GeekInTheNorth commented 8 months ago

@breizh22

I've built the new changes, this includes the following:

The DB for my test CMS has run out of credit for this month, so I'll aim to build and test a new release next week.

GeekInTheNorth commented 7 months ago

@breizh22 This has now been released as 2.5.0. you can see the full release notes here: https://github.com/GeekInTheNorth/Stott.Security.Optimizely/discussions/201