dlabordus
commented
1 year ago We should investigate what is the normal way to do this with Container Images, because during deployment the SSL Certificate probably needs to be injected for use. @Sander3003, maybe discuss this also internally how they are doing it within OpenShift of Alliander by other teams.
Sander3003
In order to fully validate the silver level of OpenSSF Best Practices Badges for our project and for security reasons, we have to fully implement HTTPS instead of HTTP.
Here are the requirement to meet: The software produced by the project SHOULD support secure protocols for all of its network communications, such as SSHv2 or later, TLS1.2 or later (HTTPS), IPsec, SFTP, and SNMPv3. Insecure protocols such as FTP, HTTP, telnet, SSLv3 or earlier, and SSHv1 SHOULD be disabled by default, and only enabled if the user specifically configures it. If the software produced by the project does not support network communications, select "not applicable" (N/A).
The software produced by the project SHOULD, if it supports or uses TLS, support at least TLS version 1.2. Note that the predecessor of TLS was called SSL. If the software does not use TLS, select "not applicable" (N/A). [crypto_tls12]
The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select "not applicable" (N/A). [crypto_certificate_verification]
The software produced by the project MUST, if it supports TLS, perform certificate verification before sending HTTP headers with private information (such as secure cookies). If the software does not use TLS, select "not applicable" (N/A). [crypto_verification_private]
Here is the questionnaire : https://bestpractices.coreinfrastructure.org/en/projects/5925?criteria_level=1