Skip to content

chore: Update security settings and environment variables #17

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
johnnyhuy merged 1 commit into from
Jul 14, 2024
Merged

chore: Update security settings and environment variables #17

johnnyhuy merged 1 commit into from
Jul 14, 2024

Conversation

@johnnyhuy
Copy link
Contributor

@johnnyhuy johnnyhuy commented Jul 14, 2024
edited by echohello-codium-ai-pr-agent bot
Loading

User description

  • Add new environment variable for APP_BASE_URL in Backstage
  • Update PLAUSIBLE_DATA_DOMAIN value to backstage.localhost
  • Update CSP settings in app-config.yaml
  • Refactor backend baseUrl and listener configuration in app-config.production.yaml

PR Type

enhancement, configuration changes

Description

  • Added APP_BASE_URL environment variable in .env.example.
  • Added echo statements for Backstage and Traefik URLs in Makefile.
  • Refactored baseUrl to use APP_BASE_URL variable in app-config.production.yaml.
  • Updated CSP settings and added CORS configuration in app-config.production.yaml.
  • Updated CSP settings to include 'unsafe-eval' in script-src in app-config.yaml.

Changes walkthrough 📝

Relevant files
Configuration changes
.env.example
Add `APP_BASE_URL` environment variable                                   

.env.example

  • Added APP_BASE_URL environment variable for Backstage.
 +1/-0     
app-config.production.yaml
Refactor baseUrl and update security settings                       

app-config.production.yaml

  • Refactored baseUrl to use APP_BASE_URL variable.
  • Updated CSP settings.
  • Added CORS configuration.
    		•  +13/-10 
    app-config.yaml
    Update CSP settings in development configuration                 

    app-config.yaml

    • Updated CSP settings to include 'unsafe-eval' in script-src.
    		 +1/-1     
    Enhancement
    Makefile
    Add echo statements for Backstage and Traefik URLs             

    Makefile

    • Added echo statements for Backstage and Traefik URLs.
    		 +2/-0     

    💡 PR-Agent usage:
    Comment /help on the PR to get a list of all available PR-Agent tools and their descriptions

    @johnnyhuy
    chore: Update security settings and environment variables
    1971d91 
    - Add new environment variable for APP_BASE_URL in Backstage
- Update PLAUSIBLE_DATA_DOMAIN value to backstage.localhost
- Update CSP settings in app-config.yaml
- Refactor backend baseUrl and listener configuration in app-config.production.yaml
    @johnnyhuy johnnyhuy enabled auto-merge July 14, 2024 02:20
    @echohello-codium-ai-pr-agent
    Copy link
    Contributor

    echohello-codium-ai-pr-agent bot commented Jul 14, 2024

    PR Review 🔍

    ⏱️ Estimated effort to review [1-5]

    2, because the changes are mostly configuration updates and environment variable adjustments, which are straightforward to review. However, understanding the context and implications of CSP and CORS settings might require some specific knowledge.

    🧪 Relevant tests

    No

    ⚡ Possible issues

    Possible Security Risk: The inclusion of 'unsafe-eval' in the script-src directive of CSP settings can expose the application to potential security vulnerabilities like XSS attacks. This should be used with caution and ideally avoided if possible.

    🔒 Security concerns

    - CSP 'unsafe-eval': Including 'unsafe-eval' in the CSP settings increases the risk of executing unsafe JavaScript, which could be exploited by attackers. Consider removing it if not absolutely necessary.

    @echohello-codium-ai-pr-agent
    Copy link
    Contributor

    echohello-codium-ai-pr-agent bot commented Jul 14, 2024

    PR Code Suggestions ✨

    CategorySuggestion                                                                                                                                    Score
    Security
    Enhance security by using HTTPS for the base URL

    Consider using HTTPS for APP_BASE_URL to enhance security, especially if sensitive data is
    being transmitted.

    .env.example [5]

    -APP_BASE_URL=http://backstage.localhost
+APP_BASE_URL=https://backstage.localhost
    Suggestion importance[1-10]: 10

    Why: Using HTTPS instead of HTTP for the base URL is a significant security improvement, especially if sensitive data is being transmitted.

    		10
    Improve security by removing 'unsafe-eval' from CSP settings

    Remove 'unsafe-eval' from script-src in the CSP settings to improve security by preventing
    the execution of strings as code, which can be a vector for XSS attacks.

    app-config.production.yaml [11]

     script-src:
-  ["'self'", 'http:', 'https:', "'unsafe-eval'", '${APP_BASE_URL}']
+  ["'self'", 'http:', 'https:', '${APP_BASE_URL}']
    Suggestion importance[1-10]: 10

    Why: Removing 'unsafe-eval' from the CSP settings is crucial for preventing XSS attacks, which can exploit the ability to execute strings as code.

    		10
    Ensure secure connections by including only https: in the connect-src CSP directive

    Consider adding https: to the connect-src directive in CSP settings to ensure that all
    connections are made over a secure protocol.

    app-config.yaml [21]

    -connect-src: ["'self'", 'http:', 'https:']
+connect-src: ["'self'", 'https:']
    Suggestion importance[1-10]: 8

    Why: While this suggestion improves security by enforcing HTTPS connections, it might require additional changes to ensure all endpoints support HTTPS.

    		8
    Best practice
    Use HTTPS in echo statements for secure communication

    Update the echo statements to use HTTPS URLs for services to align with best practices for
    secure communication.

    Makefile [53-54]

    -@echo "Backstage is running at http://localhost:7007 or http://backstage.localhost"
-@echo "Traefik is running at http://localhost:8080 or http://traefik.localhost"
+@echo "Backstage is running at https://localhost:7007 or https://backstage.localhost"
+@echo "Traefik is running at https://localhost:8080 or https://traefik.localhost"
    Suggestion importance[1-10]: 7

    Why: Updating the echo statements to use HTTPS aligns with best practices for secure communication, but it is a minor improvement compared to other suggestions.

    		7

    @johnnyhuy johnnyhuy merged commit fdf6a33 into main Jul 14, 2024
    @johnnyhuy johnnyhuy deleted the feature/plausible-fix-csp branch July 14, 2024 02:28
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

    Reviewers

    No reviews

    Assignees

    No one assigned

    Labels

    Configuration changes enhancement New feature or request Review effort [1-5]: 2

    Projects

    None yet

    Milestone

    No milestone

    Development

    Successfully merging this pull request may close these issues.

    2 participants

    @johnnyhuy