-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Apply Content-Security-Policy to all server responses #143871
Labels
enhancement
New value added to drive a business result
Feature:Hardening
Harding of Kibana from a security perspective
Feature:Security/CSP
Platform Security - Content Security Policy
Team:Security
Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Comments
legrego
added
Team:Security
Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
enhancement
New value added to drive a business result
Feature:Security/CSP
Platform Security - Content Security Policy
Feature:Hardening
Harding of Kibana from a security perspective
labels
Oct 24, 2022
Pinging @elastic/kibana-security (Team:Security) |
5 tasks
watson
pushed a commit
that referenced
this issue
Nov 16, 2022
Previously `/api/*` requests didn't include a `Content-Security-Policy` header, now they do. Closes #143871
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this issue
Nov 16, 2022
Previously `/api/*` requests didn't include a `Content-Security-Policy` header, now they do. Closes elastic#143871 (cherry picked from commit 5550ab6)
kibanamachine
added a commit
that referenced
this issue
Nov 16, 2022
#145449) # Backport This will backport the following commits from `main` to `8.6`: - [Add CSP header to all requests, including api requests (#144902)](#144902) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Thomas Watson","email":"watson@elastic.co"},"sourceCommit":{"committedDate":"2022-11-16T20:45:10Z","message":"Add CSP header to all requests, including api requests (#144902)\n\nPreviously `/api/*` requests didn't include a `Content-Security-Policy`\r\nheader, now they do.\r\n\r\nCloses #143871","sha":"5550ab6cb10fbfddf437a74900103bb33dd1afa4","branchLabelMapping":{"^v8.7.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:enhancement","backport:all-open","v8.7.0"],"number":144902,"url":"https://github.com/elastic/kibana/pull/144902","mergeCommit":{"message":"Add CSP header to all requests, including api requests (#144902)\n\nPreviously `/api/*` requests didn't include a `Content-Security-Policy`\r\nheader, now they do.\r\n\r\nCloses #143871","sha":"5550ab6cb10fbfddf437a74900103bb33dd1afa4"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v8.7.0","labelRegex":"^v8.7.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/144902","number":144902,"mergeCommit":{"message":"Add CSP header to all requests, including api requests (#144902)\n\nPreviously `/api/*` requests didn't include a `Content-Security-Policy`\r\nheader, now they do.\r\n\r\nCloses #143871","sha":"5550ab6cb10fbfddf437a74900103bb33dd1afa4"}}]}] BACKPORT--> Co-authored-by: Thomas Watson <watson@elastic.co>
watson
pushed a commit
to watson/kibana
that referenced
this issue
Nov 17, 2022
Previously `/api/*` requests didn't include a `Content-Security-Policy` header, now they do. Closes elastic#143871 (cherry picked from commit 5550ab6) # Conflicts: # src/core/server/http_resources/http_resources_service.test.ts # src/core/server/http_resources/http_resources_service.ts
watson
pushed a commit
to watson/kibana
that referenced
this issue
Nov 17, 2022
Previously `/api/*` requests didn't include a `Content-Security-Policy` header, now they do. Closes elastic#143871 (cherry picked from commit 5550ab6) # Conflicts: # packages/core/http/core-http-server-mocks/src/test_utils.ts # src/core/server/http/lifecycle_handlers.test.ts # src/core/server/http_resources/http_resources_service.test.ts # src/core/server/http_resources/http_resources_service.ts
watson
pushed a commit
that referenced
this issue
Nov 17, 2022
#145552) # Backport This will backport the following commits from `main` to `8.5`: - [Add CSP header to all requests, including api requests (#144902)](#144902) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Thomas Watson","email":"watson@elastic.co"},"sourceCommit":{"committedDate":"2022-11-16T20:45:10Z","message":"Add CSP header to all requests, including api requests (#144902)\n\nPreviously `/api/*` requests didn't include a `Content-Security-Policy`\r\nheader, now they do.\r\n\r\nCloses #143871","sha":"5550ab6cb10fbfddf437a74900103bb33dd1afa4","branchLabelMapping":{"^v8.7.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:enhancement","backport:all-open","v8.6.0","v8.7.0"],"number":144902,"url":"https://github.com/elastic/kibana/pull/144902","mergeCommit":{"message":"Add CSP header to all requests, including api requests (#144902)\n\nPreviously `/api/*` requests didn't include a `Content-Security-Policy`\r\nheader, now they do.\r\n\r\nCloses #143871","sha":"5550ab6cb10fbfddf437a74900103bb33dd1afa4"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"8.6","label":"v8.6.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/145449","number":145449,"state":"MERGED","mergeCommit":{"sha":"a9f7ba61f128e61beb936d2caff143e93e3321ea","message":"[8.6] Add CSP header to all requests, including api requests (#144902) (#145449)\n\n# Backport\n\nThis will backport the following commits from `main` to `8.6`:\n- [Add CSP header to all requests, including api requests\n(#144902)](https://github.com/elastic/kibana/pull/144902)\n\n<!--- Backport version: 8.9.7 -->\n\n### Questions ?\nPlease refer to the [Backport tool\ndocumentation](https://github.com/sqren/backport)\n\n<!--BACKPORT [{\"author\":{\"name\":\"Thomas\nWatson\",\"email\":\"watson@elastic.co\"},\"sourceCommit\":{\"committedDate\":\"2022-11-16T20:45:10Z\",\"message\":\"Add\nCSP header to all requests, including api requests\n(#144902)\\n\\nPreviously `/api/*` requests didn't include a\n`Content-Security-Policy`\\r\\nheader, now they do.\\r\\n\\r\\nCloses\n#143871\",\"sha\":\"5550ab6cb10fbfddf437a74900103bb33dd1afa4\",\"branchLabelMapping\":{\"^v8.7.0$\":\"main\",\"^v(\\\\d+).(\\\\d+).\\\\d+$\":\"$1.$2\"}},\"sourcePullRequest\":{\"labels\":[\"release_note:enhancement\",\"backport:all-open\",\"v8.7.0\"],\"number\":144902,\"url\":\"https://github.com/elastic/kibana/pull/144902\",\"mergeCommit\":{\"message\":\"Add\nCSP header to all requests, including api requests\n(#144902)\\n\\nPreviously `/api/*` requests didn't include a\n`Content-Security-Policy`\\r\\nheader, now they do.\\r\\n\\r\\nCloses\n#143871\",\"sha\":\"5550ab6cb10fbfddf437a74900103bb33dd1afa4\"}},\"sourceBranch\":\"main\",\"suggestedTargetBranches\":[],\"targetPullRequestStates\":[{\"branch\":\"main\",\"label\":\"v8.7.0\",\"labelRegex\":\"^v8.7.0$\",\"isSourceBranch\":true,\"state\":\"MERGED\",\"url\":\"https://github.com/elastic/kibana/pull/144902\",\"number\":144902,\"mergeCommit\":{\"message\":\"Add\nCSP header to all requests, including api requests\n(#144902)\\n\\nPreviously `/api/*` requests didn't include a\n`Content-Security-Policy`\\r\\nheader, now they do.\\r\\n\\r\\nCloses\n#143871\",\"sha\":\"5550ab6cb10fbfddf437a74900103bb33dd1afa4\"}}]}]\nBACKPORT-->\n\nCo-authored-by: Thomas Watson <watson@elastic.co>"}},{"branch":"main","label":"v8.7.0","labelRegex":"^v8.7.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/144902","number":144902,"mergeCommit":{"message":"Add CSP header to all requests, including api requests (#144902)\n\nPreviously `/api/*` requests didn't include a `Content-Security-Policy`\r\nheader, now they do.\r\n\r\nCloses #143871","sha":"5550ab6cb10fbfddf437a74900103bb33dd1afa4"}}]}] BACKPORT-->
benakansara
pushed a commit
to benakansara/kibana
that referenced
this issue
Nov 17, 2022
Previously `/api/*` requests didn't include a `Content-Security-Policy` header, now they do. Closes elastic#143871
watson
pushed a commit
that referenced
this issue
Nov 21, 2022
… (#145553) # Backport This will backport the following commits from `main` to `7.17`: - [Add CSP header to all requests, including api requests (#144902)](#144902) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Thomas Watson","email":"watson@elastic.co"},"sourceCommit":{"committedDate":"2022-11-16T20:45:10Z","message":"Add CSP header to all requests, including api requests (#144902)\n\nPreviously `/api/*` requests didn't include a `Content-Security-Policy`\r\nheader, now they do.\r\n\r\nCloses #143871","sha":"5550ab6cb10fbfddf437a74900103bb33dd1afa4","branchLabelMapping":{"^v8.7.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:enhancement","backport:all-open","v8.6.0","v8.7.0"],"number":144902,"url":"https://github.com/elastic/kibana/pull/144902","mergeCommit":{"message":"Add CSP header to all requests, including api requests (#144902)\n\nPreviously `/api/*` requests didn't include a `Content-Security-Policy`\r\nheader, now they do.\r\n\r\nCloses #143871","sha":"5550ab6cb10fbfddf437a74900103bb33dd1afa4"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"8.6","label":"v8.6.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/145449","number":145449,"state":"MERGED","mergeCommit":{"sha":"a9f7ba61f128e61beb936d2caff143e93e3321ea","message":"[8.6] Add CSP header to all requests, including api requests (#144902) (#145449)\n\n# Backport\n\nThis will backport the following commits from `main` to `8.6`:\n- [Add CSP header to all requests, including api requests\n(#144902)](https://github.com/elastic/kibana/pull/144902)\n\n<!--- Backport version: 8.9.7 -->\n\n### Questions ?\nPlease refer to the [Backport tool\ndocumentation](https://github.com/sqren/backport)\n\n<!--BACKPORT [{\"author\":{\"name\":\"Thomas\nWatson\",\"email\":\"watson@elastic.co\"},\"sourceCommit\":{\"committedDate\":\"2022-11-16T20:45:10Z\",\"message\":\"Add\nCSP header to all requests, including api requests\n(#144902)\\n\\nPreviously `/api/*` requests didn't include a\n`Content-Security-Policy`\\r\\nheader, now they do.\\r\\n\\r\\nCloses\n#143871\",\"sha\":\"5550ab6cb10fbfddf437a74900103bb33dd1afa4\",\"branchLabelMapping\":{\"^v8.7.0$\":\"main\",\"^v(\\\\d+).(\\\\d+).\\\\d+$\":\"$1.$2\"}},\"sourcePullRequest\":{\"labels\":[\"release_note:enhancement\",\"backport:all-open\",\"v8.7.0\"],\"number\":144902,\"url\":\"https://github.com/elastic/kibana/pull/144902\",\"mergeCommit\":{\"message\":\"Add\nCSP header to all requests, including api requests\n(#144902)\\n\\nPreviously `/api/*` requests didn't include a\n`Content-Security-Policy`\\r\\nheader, now they do.\\r\\n\\r\\nCloses\n#143871\",\"sha\":\"5550ab6cb10fbfddf437a74900103bb33dd1afa4\"}},\"sourceBranch\":\"main\",\"suggestedTargetBranches\":[],\"targetPullRequestStates\":[{\"branch\":\"main\",\"label\":\"v8.7.0\",\"labelRegex\":\"^v8.7.0$\",\"isSourceBranch\":true,\"state\":\"MERGED\",\"url\":\"https://github.com/elastic/kibana/pull/144902\",\"number\":144902,\"mergeCommit\":{\"message\":\"Add\nCSP header to all requests, including api requests\n(#144902)\\n\\nPreviously `/api/*` requests didn't include a\n`Content-Security-Policy`\\r\\nheader, now they do.\\r\\n\\r\\nCloses\n#143871\",\"sha\":\"5550ab6cb10fbfddf437a74900103bb33dd1afa4\"}}]}]\nBACKPORT-->\n\nCo-authored-by: Thomas Watson <watson@elastic.co>"}},{"branch":"main","label":"v8.7.0","labelRegex":"^v8.7.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/144902","number":144902,"mergeCommit":{"message":"Add CSP header to all requests, including api requests (#144902)\n\nPreviously `/api/*` requests didn't include a `Content-Security-Policy`\r\nheader, now they do.\r\n\r\nCloses #143871","sha":"5550ab6cb10fbfddf437a74900103bb33dd1afa4"}}]}] BACKPORT--> Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
enhancement
New value added to drive a business result
Feature:Hardening
Harding of Kibana from a security perspective
Feature:Security/CSP
Platform Security - Content Security Policy
Team:Security
Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
We include a
Content-Security-Policy
on all app requests, but calls that only return data (e.g./api/*
) are not currently protected.We discussed a more restrictive CSP for these types of requests (#51323), but we feel that:
Tasks:
kibana/packages/core/http/core-http-resources-server-internal/src/http_resources_service.ts
Line 119 in c8a2ee2
The text was updated successfully, but these errors were encountered: