Enable Strict-Transport-Security header in Automate API

[vivekvardwaz]

Existing issue:
Usage of HTTP should be kept at a minimum in web applications where security matters. Users which enter the web application via HTTP, e.g. by entering only the domain name in the URL bar of their browser should be redirected directly to a secure HTTPS URL. All HTTPS resources should provide a Strict-Transport-Security header which ensures that the browser uses only HTTPS for a given amount of time. The syntax for this header is as follows: Strict-Transport-Security: max-age=[; includeSubDomains] The parameter max-age gives the time frame for requirement of HTTPS in seconds and should be chosen quite high, e.g. several months. Except the initial redirection the application should be used completely with HTTPS.

The HTTP Strict Transport Security policy defines a timeframe where a browser must connect to the web server via HTTPS. Without a Strict Transport Security policy the web application may be vulnerable against several attacks: If the web application mixes usage of HTTP and HTTPS, an attacker can manipulate pages in the unsecured area of the application or change redirection targets in a manner that the switch to the secured page is not performed or done in a manner, that the attacker remains between client and server.

Expected Behaviour:
Enable Strict-Transport-Security header including all necessary parameters. e.g. Applying the HSTS header to the automate.conf.js file

Aha! Link: https://chef.aha.io/epics/SH-E-473

[emo3]

At our customer they use AppScan and found the following:
Chef Automate ->
2000 automate-gatew
10115 session-servic
10117 dex
10143 minio
10161 nginx: master

These are the ports and applications that did not have the HSTS Header turned on. Our security defines this as a security violation and needs to be fixed.

[kalroy]

Automate Loadbalancer exposes 443 for connection from Outside and it is under HSTS header. An example of nginx config:
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;

The ports mentioned as per AppScan are not the ones which can be hit from outside the environment. These are for internal connections and should not be exposed from the outside.

[TerrieB1]

Can I get an update for the customer please on this one. Thank you

[Venkatesh-rengasamy]

@kalroy
Code changes are tested. "strict-transport-security" added in response header. Please see the screenshot FYI.

[Venkatesh-rengasamy]

Added Strict-Transport-Security in Response header #5286

[jtonello]

Is it possible that this update has caused problems with the Automate API, which does not appear to work per https://docs.chef.io/automate/api/.

$ curl -s -H "api-token: $TOKEN" https://automate.chef.lab/apis/iam/v2/policies -v
*   Trying 10.128.1.46:443...
* Connected to automate.chef.lab (10.128.1.46) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /opt/chef-workstation/embedded/ssl/certs/cacert.pem
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self signed certificate
* Closing connection 0