Issue
Testing team reported "VULN-05 HSTS and CSP not implemented properly".
The report is attached to the GONRG-1637: [^API security testing report _Trajectory.pdf].
They say "The HSTS and CSP headers are not implemented. A man-in-the-middle attacker attempts to intercept traffic from a victim user using an invalid certificate and hopes the user will accept the bad certificate".
Reported contexts: STORAGE, DELIVERY
Replay and analysis
Debugged Search service API:
curl --location --request POST 'https://os-search-attcrcktoa-uc.a.run.app/api/search/v2/query' \
--header 'Authorization: Bearer <token>' \
--header 'data-partition-id: osdu' \
--header 'Content-Type: application/json' \
--data-raw '{
"kind": "osdu:osdu:*:0.2.0",
"query": "BIR*"
}'- Noticed security headers (Strict-Transport-Security, Content-Security-Policy etc.) absence in responses
- Analyzed Search service Java code
- not found any "active" code for setting security headers on Responses
- found the inactivated class "org.opengroup.osdu.search.middleware.CorrelationIDRequestFilter" designed to set needed headers
- the class is inactivated by the commented "@Component" annotation
- CorrelationIDRequestFilter component should be reviewed, actualized and reactivated
- see the similar functionality code we have in Storage service: GONRG-1756
Type of change
-
Bug Fix -
Feature
Does this introduce a change in the core logic?
- [YES]
Does this introduce a change in the cloud provider implementation, if so which cloud?
-
AWS -
Azure -
GCP -
IBM
Does this introduce a breaking change?
- [NO]
Have you added/updated Unit Tests and Integration Tests?
- [NO]