Beissea 85 pen test fixes #248

xonde · 2023-09-14T13:52:36Z

No description provided.

davidm-m

CSP stuff look great, I just want to check that the change you've made to cookies is the right one.

SeaPublicWebsite/Services/Cookies/CookieService.cs

davidm-m

Lovely stuff 👍

davidm-m · 2023-09-19T11:38:25Z

Just realised: PLEASE DON'T ACTUALLY MERGE THIS!
Merging into main triggers a production deployment. We should be merging into dev first.

xonde · 2023-09-20T09:51:27Z

Just to note, while this should technically work, The way it's set up on the new platform means we're always in a dev environment. So I think we should sort out BEISSEA-86 before we merge this. I'll ask Jeni if I can prioritise that after doing the data capture ticket

davidm-m · 2023-09-20T09:53:28Z

Just to note, while this should technically work, The way it's set up on the new platform means we're always in a dev environment.

Ha, I was just going to write an identical comment. Sounds good to me.

davidm-m

Making the anti forgery cookie secure broke HER, so we'll need to make an additional change to avoid that. I've put more details in a comment.

davidm-m · 2023-09-26T10:34:00Z

SeaPublicWebsite/Startup.cs

+        private void ConfigureAntiForgeryCookieOptions(AntiforgeryOptions options)
+        {
+            options.Cookie.Name = "Antiforgery";
+            options.Cookie.SecurePolicy = webHostEnvironment.IsDevelopment() ? CookieSecurePolicy.None : CookieSecurePolicy.Always;
+        }
+


Turns out HER has this exact change and it's breaking the health check since the health check is apparently over HTTP, not HTTPS. We'll need to add in an exception to the health check endpoint that it doesn't use an anti forgery cookie.

Sounds good, thanks for checking

This commit contains WIP code that should probably be removed. I have made a note on each section with a "TODO: BEISSEA-85"

xonde requested a review from davidm-m September 14, 2023 13:52

davidm-m reviewed Sep 14, 2023

View reviewed changes

SeaPublicWebsite/Services/Cookies/CookieService.cs Show resolved Hide resolved

davidm-m approved these changes Sep 18, 2023

View reviewed changes

xonde changed the base branch from main to dev September 20, 2023 09:48

xonde added 5 commits September 20, 2023 10:54

BEISSEA-85: Remove CSP Wildcards

7782f6c

BEISSEA-85: Set HTTP Only Flag on cookie

83226cb

BEISSEA-85: Added nonce to inline scripts

4a31325

BEISSEA-85: Set AntiForgery Cookie to Secure

10800cc

BEISSEA-85: Remove Secure flag if in DEV environment

05ad816

xonde force-pushed the BEISSEA-85-pen-test-fixes branch from b836cd3 to 05ad816 Compare September 20, 2023 09:54

davidm-m requested changes Sep 26, 2023

View reviewed changes

xonde added 2 commits September 26, 2023 15:51

BEISSEA-85: Pull out middleware invoke into smaller functions

ba2cc12

BEISSEA-85: WIP

2d2da2c

This commit contains WIP code that should probably be removed. I have made a note on each section with a "TODO: BEISSEA-85"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Beissea 85 pen test fixes #248

Beissea 85 pen test fixes #248

xonde commented Sep 14, 2023

davidm-m left a comment

davidm-m left a comment

davidm-m commented Sep 19, 2023

xonde commented Sep 20, 2023

davidm-m commented Sep 20, 2023

davidm-m left a comment

davidm-m Sep 26, 2023

xonde Sep 26, 2023

Beissea 85 pen test fixes #248

Are you sure you want to change the base?

Beissea 85 pen test fixes #248

Conversation

xonde commented Sep 14, 2023

davidm-m left a comment

Choose a reason for hiding this comment

davidm-m left a comment

Choose a reason for hiding this comment

davidm-m commented Sep 19, 2023

xonde commented Sep 20, 2023

davidm-m commented Sep 20, 2023

davidm-m left a comment

Choose a reason for hiding this comment

davidm-m Sep 26, 2023

Choose a reason for hiding this comment

xonde Sep 26, 2023

Choose a reason for hiding this comment