Postgres Pro
Downloads
Home   >   mailing lists

Re: [pgAdmin][5919] Fix security related issues - Mailing list pgadmin-hackers

From Ganesh Jaybhay
Subject Re: [pgAdmin][5919] Fix security related issues
Date
Msg-id CAK6syAqACY7Ab-HBDB5+0D0xkqMaH0=FM5j5G0yfjZqit4Lp3Q@mail.gmail.com
Whole thread Raw
In response to Re: [pgAdmin][5919] Fix security related issues  (Dave Page <dpage@pgadmin.org>)
Responses Re: [pgAdmin][5919] Fix security related issues  (Akshay Joshi <akshay.joshi@enterprisedb.com>)
List pgadmin-hackers
Tree view
Thank you Dave for the suggestion.

Please find the attached updated patch to make HSTS by default disabled and conditional based on flag.

Regards,
Ganesh Jaybhay

On Mon, Oct 19, 2020 at 5:38 PM Dave Page <dpage@pgadmin.org> wrote:
Hi

On Mon, Oct 19, 2020 at 1:01 PM Ganesh Jaybhay <ganesh.jaybhay@enterprisedb.com> wrote:
Hi Hackers,

Please find the attached patch to fix the below security issues:
  • Host Header Injection - Added ALLOWED_HOSTS list to limit host address 
  • Lack of Content Security Policy (CSP) - Added security header
  • Lack of Protection Mechanisms - HSTS - Added security header
  • Lack of Cookie Attribute – Secure : Kept as False as secure limits cookies to HTTPS traffic only.
  • Information Disclosure – Web Server / Development Framework VersionDescription: Kept as hard coded 'Python' instead of exposing wsgi/python/gunicorn version info.
Please review and let me know if I have missed anything.

I took a very quick look at this, and one thing that immediately stood out is that HSTS should definitely not be enabled by default. That can make dev/test/redeploy extremely difficult.
 
--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EDB: http://www.enterprisedb.com

Attachment

pgadmin-hackers by date:

Previous
From: Dave Page
Date:
Subject: Re: [pgAdmin][5919] Fix security related issues
Next
From: Nikhil Mohite
Date:
Subject: Re: [pgAdmin4][RM4232]: Change what is shown by default in tab titles