restricted-site-access icon indicating copy to clipboard operation
restricted-site-access copied to clipboard

Published 20 hours ago verified publisher icon 10up

Custom https header based whitelisting

Open mikelking opened this issue 3 years ago • 0 comments

It would be great is RSA supported custom https header parameters to facilitate whitelisting of dynamic testing services for systems like NewRelic, GTMetrix, GitLab, Github, and CypressJS. If adopted this should be considered for the following optional scenarios.

  • Standard IP address whitelisting based access granted - existing functionality
  • Access granted if the header is present in lieu of IP address whitelisting - this would allow systems like GitLab CICD access where IP address whitelisting may not be available
  • Access granted only if the header is present in conjunction with the IP address whitelisting - this would allow additional security for systems like GTMetrix where IP address whitelisting is available but it is desired to limit the tests access to the systems protected by RSA
NewRellic has some specifics on their header implementation:

https://docs.newrelic.com/docs/synthetics/synthetic-monitoring/administration/identify-synthetic-monitoring-requests-your-app/

In the NewRelic scenario the RSA admin page would need to have a configuration field to the matching header parameters in WordPress.

For other services like GTMetrix it is possible to define custom headers to send with the request and RSA could have it's own custom header identifier and a field for entering a unique matching value in the RSA admin page of WordPress.
CypressJS can also send custom headers

https://medium.com/agilix/cypress-testing-include-custom-http-header-on-each-http-request-2b3693813e97

Maybe the system could be similar to the IP address whitelist what you could add a custom header, the accepted value and a label to identify source. I know the following image is crude but is should convey the concept for defining custom whitelist headers in it's simplest form.

image

I am not sure how one would identify that a particular header or group of headers fit the scenario of requiring matching whitelisted IP addresses or vise verse. This is why I listed it as the third scenario since it would be a nice to have.

mikelking avatar Feb 15 '22 20:02 mikelking