DinisCruz
commented
9 years ago @tekgirl77 or @michaelhidalgo this is another nice one for you to get your head around TM 4.0 dev and UnitTest development
Open DinisCruz opened 9 years ago
DinisCruz
commented
9 years ago @tekgirl77 or @michaelhidalgo this is another nice one for you to get your head around TM 4.0 dev and UnitTest development
tekgirl77
commented
9 years ago Ran into issue during testing - the error below in screenshot persists in Chrome (Version 39.0.2171.95 (64-bit)) no matter how I update the existing helmetjs CSP code - even if I remove the code, the error persists. Only on the /guest/about.html and /guest/features.html pages. "Help", "Login" and "Sign Up" pages all load successfully. In Firefox, ALL pages load successfully.
The screenshot below was taken after all csp code has been commented out, my cache cleared, npm update, and restart of the server:
tekgirl77
commented
9 years ago Solution to above issue: disable cache in developer tools in Chrome.
romichg
commented
9 years ago Good catch with the cache!
tekgirl77
commented
9 years ago @luchia Hi Lucy, Dinis said I should ping you on this one - there is an option w/ the CSP (content security policy) headers to submit data on policy violations in json format - wondering if we are interested in collecting this data, having it emailed to the team / individual, etc. so that we can be alerted when someone comes across a portion of our site that is blocked to to the policy in place.
In the screenshot below, you can see the json key:value pairs that it will report on:
tekgirl77
commented
9 years ago @michaelhidalgo I was told to ping you for access to Saucelabs for multi-browser testing.
michaelhidalgo
commented
9 years ago Sure, I'm sending you the credentials in an encrypted email
2015-01-14 15:32 GMT-06:00 tekgirl77 notifications@github.com:
@michaelhidalgo https://github.com/michaelhidalgo I was told to ping you for access to Saucelabs for multi-browser testing.
— Reply to this email directly or view it on GitHub https://github.com/TeamMentor/TM_4_0_Design/issues/208#issuecomment-69996070 .
Michael Hidalgo http://michaelhidalgocr.blogspot.com
The future has many names: For the weak, it means the unattainable. For the fearful, it means the unknown. For the courageous, it means opportunity. (1802-1885) French Poet, Dramatist, Writer
tekgirl77
commented
9 years ago The helmet.csp (content security policy) module will not enforce BOTH cross-site scripting prevention in addition to enforcing https. To enforce https, the helmet.hsts (http strict transport security) module should be used in addition to helmet.csp.
The express_enforces_ssl() module will force users to use https by redirecting any http requests to https with a 301 permanent redirect.
https://github.com/aredo/express-enforces-ssl
DinisCruz
commented
9 years ago @tekgirl77 cool stuff, can you review the current TeamMentor articles on CSP and if they need some changes please propose them (there is GitHub repo for contents changes)
tekgirl77
commented
9 years ago Will do! :)
Salle Ingle Support & Implementation Specialist, eLearning [image: https://www.securityinnovation.com/_img/art/logo.png]
On Fri, Jan 16, 2015 at 12:14 PM, Dinis Cruz notifications@github.com wrote:
@tekgirl77 https://github.com/tekgirl77 cool stuff, can you review the current TeamMentor articles on CSP and if they need some changes please propose them (there is GitHub repo for contents changes)
— Reply to this email directly or view it on GitHub https://github.com/TeamMentor/TM_4_0_Design/issues/208#issuecomment-70296365 .
michaelhidalgo
commented
9 years ago Great analysis !
tekgirl77
commented
9 years ago tekgirl77
commented
9 years ago Just an example of processing the CSP reports: https://mathiasbynens.be/notes/csp-reports
Description
No security-focused headers are sent to the user
Risk Analysis
Couple headers should be added (enforce ssl for example) Since Jade doesn't use Html, we should use CSP to block all Javascript execution
References
TM-4.0-Security