This is Google's cache of https://github.com/RasaHQ/rasa/issues/4729. It is a snapshot of the page as it appeared on 20 Mar 2024 07:19:43 GMT. The current page could have changed in the meantime. Learn more.
Full versionText-only versionView source
Tip: To quickly find your search term on this page, press Ctrl+F or ⌘-F (Mac) and use the find bar.
Add X-XSS-Protection HTTP Header for RASA Core server request- http://<hostname>:5005 · Issue #4729 · RasaHQ/rasa · GitHub
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add X-XSS-Protection HTTP Header for RASA Core server request- http://<hostname>:5005 #4729

Closed
arunabh09 opened this issue Nov 6, 2019 · 7 comments
Closed

Add X-XSS-Protection HTTP Header for RASA Core server request- http://<hostname>:5005 #4729

arunabh09 opened this issue Nov 6, 2019 · 7 comments
Labels
type:enhancement ✨ Additions of new features or changes to existing ones, should be doable in a single PR

Comments

@arunabh09
Copy link

Description of Problem:

This feature is needed to address cross site scripting security vulnerabilities and other headers as per need.
https://forum.rasa.com/t/add-x-xss-protection-http-header-for-rasa-core-server-request-http-hostname-5005/20741?u=arunabh09

Overview of the Solution:

A possible solution which I have implemented is to modify the run.py file which uses sanic server implementation.

@app.middleware('response')
async def prevent_xss(request, response):
	response.headers["x-xss-protection"] = "1; mode=block"

In this way, you can add any other HTTP header as per security requirement.
Examples (if relevant):

Reference: https://sanic.readthedocs.io/en/latest/sanic/middleware.html
Blockers (if relevant): None

Definition of Done: Either enable critical security headers within RASA Core code (run.py) or configure an argument to easily enable/configure HTTP headers without the need for an end user to modify run.py file.
@arunabh09 arunabh09 added the type:enhancement ✨ Additions of new features or changes to existing ones, should be doable in a single PR label Nov 6, 2019
@sara-tagger
Copy link
Collaborator

Thanks for submitting this feature request 🚀@wochinge will get back to you about it soon!✨

@wochinge
Copy link
Contributor

wochinge commented Nov 6, 2019

Hi @arunabh09 ,

thanks for your feature request.
I just read through your forum post and I'm wondering why you are not using a firewall? The x-xss headers are respected by the browsers, but the actual problem is that you don't want to have direct access to it, right?

Also (however I'm not an expert with xss) I don't see how xss attacks relate to your use case.

@arunabh09
Copy link
Author

arunabh09 commented Nov 6, 2019
edited

Hi @wochinge ,

I had opened this issue on the request of @btotharye .
The issue was reported by Qualys vulnerability scan tool which basically scans for all the open ports on the Linux server irrespective of exterior security configurations like firewall.

Also, I did try using Apache reverse proxy settings as mentioned in the forum post, I was able to redirect 5005 request to 9090 Apache but 5005 was still open and the scan reports complained about missing XSS headers for 5005. I played around with some configurations so that I could restrict 5005 request but didn’t succeed. Hence i proceeded with adding security headers directly in to the RASA core sanic HTTP server.

That being said we can keep this issue as low priority as it’s not causing any blockers.

Thanks,
Arunabh

@btotharye
Copy link
Contributor

yea I had asked him to open an issue on this @wochinge based off a forum post, I figured it might be something we wanted to look at or at least know about, if it isn't something we need to fix we can obviously close this out.

@wochinge
Copy link
Contributor

wochinge commented Nov 7, 2019

The issue was reported by Qualys vulnerability scan tool which basically scans for all the open ports on the Linux server irrespective of exterior security configurations like firewall.

But what would the injected script do? Also the status endpoint is nothing which you would typically access with your browser (and only browsers process this headers).

Also, I did try using Apache reverse proxy settings as mentioned in the forum post, I was able to redirect 5005 request to 9090 Apache but 5005 was still open and the scan reports complained about missing XSS headers for 5005.

The reverse proxy settings can't change the fact that your server exposes port 5005. I think the header is not the issue, but rather the fact that you should run a firewall.

@arunabh09
Copy link
Author

arunabh09 commented Nov 7, 2019
edited

Agreed, I’ll be looking in to the direction of configuring firewall and blocking http access for port 5005.
Thank you @wochinge

@wochinge
Copy link
Contributor

Ok, then I'll close this for now :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type:enhancement ✨ Additions of new features or changes to existing ones, should be doable in a single PR
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@btotharye @wochinge @sara-tagger @arunabh09