ravilodhi
commented
7 months ago A01 Broken Access Control - 1) Clickjacking: X-Frame-Options header UtilHttp.setResponseBrowserDefaultSecurityHeaders(response) method has this header and we started using this in the below OMS PR - https://git.hotwax.co/commerce/oms/-/merge_requests/4688/diffs
A04 Insecure Design - 1) Clickjacking: X-Frame-Options header UtilHttp.setResponseBrowserDefaultSecurityHeaders(response) method has this header and we started using this in the below OMS PR - https://git.hotwax.co/commerce/oms/-/merge_requests/4688/diffs
2) Content Security Policy (CSP) not implemented OMS PR - https://git.hotwax.co/commerce/oms/-/merge_requests/4688/diffs
A05 Security Misconfiguration - 1) Content Security Policy (CSP) not implemented OMS PR - https://git.hotwax.co/commerce/oms/-/merge_requests/4688/diffs
2) Permissions-Policy header not implemented Severity very low, not fixed.
3) Reverse proxy detected Severity very low, not fixed.
4) HTTP Strict Transport Security (HSTS) not following best practices (No includeSubDomains directive) The method used in the below PR has the needed changes, and now we started using this. OMS PR - https://git.hotwax.co/commerce/oms/-/merge_requests/4688/diffs
Note: Nothing is fixed at app side regarding the above vulnerabilities as of now, should be handled by the changes done at OMS side. If needed CSP can be handled at app side using meta tags -
e.g. Adding below meta tag in index.html file.
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';"/>
What is the motivation for adding/enhancing this feature?
Here is the Report -
20240221_OWASP_Top_10_2021_https_launchpad_hotwax_io_home.pdf
What are the acceptance criteria?
All the critical vulnerabilities should be fixed.
Can you complete this feature request by yourself?
Additional information