Security headers missing in our environment

INFORMATION

Relevant information to this issue:

ISSUE
Hi everyone,

After a Pentest that have been done on our platform, we’ve got a feedback on missing headers that we might need in our front-end app. Here is the analysis of our lead developer, who thinks it could be resolved from the Devops side :

This issue appears to be related to the configuration of the Front server.

The back-end does not seem to have the problem, as it uses the “helmet” module. Since the back-end creates its own server and listens on its own port, it distributes the requested headers (see screenshot).

However, the front-end is built, and there must be software on the server that creates the listening server and distributes the files (nginx, apache, node?). This component needs to be configured to add the requested headers. I do not have access to this component, and I may not be the most qualified person to make these changes, so please review and decide how you would like to proceed.

Back-end result :

Front-end result :

Could you help us with this issue ?

Thanks,
Dan

Hello @Dan_Dray,
I think what you’re looking for is what we expose in the network.ingress.add_headers service advanced setting.
This is used in fine to customize the nginx ingress configuration by using the add_header function

The value of network.ingress.add_headers is an array of key:value pairs i.e {"X-Frame-Options":"DENY","X-Content-Type-Options":"nosniff"}

Hi @Melvin_Zottola ,

Thank you for your answer. Could you help me to find where I can change this function in the Qovery console? I don’t see it anywhere.
Is it more on the Cloud Provider side that I have to configure it ? (We work with Scaleway on our side)

Thank you for the help,
Dan

Sure, you need to go to your service’s global settings, then click on the Advanced Settings section of the left-bar menu:

Thank you very much !

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.