amp-github-apps icon indicating copy to clipboard operation
amp-github-apps copied to clipboard

Published 20 hours ago verified publisher icon ampproject

[owners] Add HSTS (Strict Transport Security)

Open rcebulko opened this issue 5 years ago • 8 comments

rcebulko avatar Oct 28 '19 19:10 rcebulko

Since this is hosted by App Engine, here's the relevant segment from AppEngine's faq.

It is possible to use Strict-Transport-Security in App Engine. In order to add HTTP Strict-Transport-Security headers (HSTS) to your app, you must implement the headers within your app's code, not within your app's config file (app.yaml or appengine-web.xml).

https://cloud.google.com/appengine/kb/

kristoferbaxter avatar Oct 28 '19 19:10 kristoferbaxter

Unclear how necessary this is at the time being, since there is no authentication/it's public-facing and GitHub authenticates with PSK

rcebulko avatar Oct 28 '19 19:10 rcebulko

@ampproject/wg-infra Do any of our apps use HSTS? Is there a need? I'm inclined to say there is not given the nature of the apps, but perhaps I'm missing something

rcebulko avatar Oct 29 '19 15:10 rcebulko

It's a good extra step, regardless of how "important" the apps are, but don't overthink it. Unless it's a simple flag in GAE config, make this a fixit week task and forget about it until next year :)

danielrozenberg avatar Oct 29 '19 17:10 danielrozenberg

That was my thought

rcebulko avatar Oct 29 '19 17:10 rcebulko

Still relevant, let's do it next fixit

danielrozenberg avatar Jan 27 '20 17:01 danielrozenberg

Is this relevant? There's no sensitive data present in any of the browser-accessible endpoints for the owners bot. It's just the teams, tree, and example file. What threat model would this address?

rcebulko avatar Jan 27 '20 17:01 rcebulko

It's one extra layer of security, it's definitely not required but it does tell the world we're Professionals :D

danielrozenberg avatar Jan 27 '20 18:01 danielrozenberg