New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add X-XSS-Protection HTTP Header for RASA Core server request- http://<hostname>:5005 #4729
Comments
Thanks for submitting this feature request 🚀@wochinge will get back to you about it soon!✨ |
Hi @arunabh09 , thanks for your feature request. Also (however I'm not an expert with xss) I don't see how xss attacks relate to your use case. |
Hi @wochinge , I had opened this issue on the request of @btotharye . Also, I did try using Apache reverse proxy settings as mentioned in the forum post, I was able to redirect 5005 request to 9090 Apache but 5005 was still open and the scan reports complained about missing XSS headers for 5005. I played around with some configurations so that I could restrict 5005 request but didn’t succeed. Hence i proceeded with adding security headers directly in to the RASA core sanic HTTP server. That being said we can keep this issue as low priority as it’s not causing any blockers. Thanks, |
yea I had asked him to open an issue on this @wochinge based off a forum post, I figured it might be something we wanted to look at or at least know about, if it isn't something we need to fix we can obviously close this out. |
But what would the injected script do? Also the status endpoint is nothing which you would typically access with your browser (and only browsers process this headers).
The reverse proxy settings can't change the fact that your server exposes port 5005. I think the header is not the issue, but rather the fact that you should run a firewall. |
Agreed, I’ll be looking in to the direction of configuring firewall and blocking http access for port 5005. |
Ok, then I'll close this for now :-) |
Description of Problem:
This feature is needed to address cross site scripting security vulnerabilities and other headers as per need.
https://forum.rasa.com/t/add-x-xss-protection-http-header-for-rasa-core-server-request-http-hostname-5005/20741?u=arunabh09
Overview of the Solution:
A possible solution which I have implemented is to modify the run.py file which uses sanic server implementation.
In this way, you can add any other HTTP header as per security requirement.
Examples (if relevant):
Reference: https://sanic.readthedocs.io/en/latest/sanic/middleware.html
Blockers (if relevant): None
Definition of Done: Either enable critical security headers within RASA Core code (run.py) or configure an argument to easily enable/configure HTTP headers without the need for an end user to modify run.py file.
The text was updated successfully, but these errors were encountered: