Security: Tighten Security Measures for Communication

[guypritchard]

AS AN Architect I WANT TO Ensure that Communications are as Secure as possible by using recommended standards and versions SO THAT the opportunity for exploit is reduced

Acceptance Criteria

• [x] Ensure HTTPS is used wherever possible
• [x] TLS 1.2 as a bare minimum
• [x] User APIs implement CORS
• [x] Look at AKS control plane access, is this secure enough.
• [x] Ensure Ingress doesn't allow access to DMR message endpoints on MockBot and other services. (just double check the pathing isn't too generous - these APIs shouldn't be accessible outside of the cluster.)

[decodingahmed]

We may want to reconsider this ticket (or maybe part of it).

Acceptance Criteria	Comment
Ensure HTTPS is used wherever possible	1. Ingress for all the applications already force HTTPS. 2. NGINX ingress controller on AKS also redirects to HTTPS. 3. The dotnet apps should ideally communicate of HTTP as HTTPS is not necessary for communications between apps within the cluster
TLS 1.2 as a bare minimum	Our cluster supports TLS 1.3. See the SSL Server Test report showing this: byk-dev-aks-ingress.westeurope.cloudapp.azure.com
Look at AKS control plane access	At the moment, the AKS control plane is protected with RBAC and AAD and any Contributor on the Byrokratt subscription can access the control plan. We could try creating a specific security group and control who has access. Otherwise, the next step would be to wrap the cluster in a vNET
User APIs implement CORS	This needs to be implemented on CentOps API