redirect HTTP to HTTPS unless explicitly instructed not to do this re… #4044
Conversation
|
I am not sure if you aimed at HSTS only and prefer not to use helmet, cf. https://github.com/helmetjs/helmet but with helmet it seems that we can harden HTTP headers (not just HSTS) in a consistent way w/o too much local code maintenance. If you had something else in mind regarding your HSTS proposal, please let me know. There are still a few security headers that we can harden: Content-Security-Policy, Referrer-Policy and Feature-Policy so I will have a look at those now but we went from F to B in https://securityheaders.com with the present PR. PS! I did test the resulting headers with (under different config settings): |
|
@jweismann no problem in using helmet and doing stuff more secure. If you integrate helmet, please also have a look at our CORS options, see https://github.com/nightscout/cgm-remote-monitor#cors-cors |
|
@jweismann How extensively have you tested this? Wondering if helmet will have any side-effects on the REST API +1 for this though, just need to make sure nothing breaks |
|
@sulkaharo. The tests I did beside the raw curl calls confines itself to use it, i.e. I have not experienced problems with the browser versions that we use on our ordinary usage of the site but that is not a solid test (I have no clue as to how others use NS and which browsers and which versions ought to be supported, i.e. what do we define as proper test coverage here?). My thoughts was to have this as an optional feature (and off by default) so if one experience an issue with this then one can just revert to the default settings. The setting 'SECURE_HTTP_HEADERS' is off by default so to use the hardening provided by helmet one will actively have to change this setting. Please take note that @PieterGit requestd two PRs. The first with the auto redirections from HTTP to HTTPS (redirections should be on by default as req. by @PieterGit ). The latter PR was to address his wish to support HSTS and I aimed at a solution with minimal maintenance and hence suggested to use helmet instead of explicit support which also harden headers beyond HSTS and we could even harden it further if you like. I was awaiting some feedback on this idea. Thanks for getting back! |
|
@jweismann You can do testing with the inbuilt swagger, see |
|
Tested api's with token. No problem. Also oref0 rigs runs fine with these headers. |
|
I made some improvements to the helmet implementation in this PR |
|
Hi Pieter, Sorry for the radio silence. I checked the upstream code today and found that a change was made to the logic and to me it seems that this change implies that the redirections no longer work. I reverted the logic and this made the redirections work again. Tested on heroku with curl: curl -Ls -w %{url_effective} -o /dev/null http://site.herokuapp.com with upstream dev does not redirect but stick to http://site.herokuapp.com Then I changed back: -// if (!process.env.INSECURE_USE_HTTP=='true') { and curl -Ls -w %{url_effective} -o /dev/null http:site.herokuapp.com now redirect to https://site.herokuapp.com. Moreover, with heroku config:set -a SITE INSECURE_USE_HTTP=true the redirections no longer happens - again as expected. |
Draft release notes for upcoming 0.11 release (currently release candidate phase). # Changes Over 360 commits, 89 files changed, +8,428 / −6,569 lines of changes (full list of changes here: https://github.com/nightscout/cgm-remote-monitor/pull/4022/commits ) ## New features - Fully secure by default out of the box. Unsecure access via http is not allowed anymore by default. This might force you to re-authenticate with your `API_SECRET` or token if you were using unsecure access. (@PieterGit ) - No outdated packages with vulnerabilities are being used anymore (@PieterGit ) - Add Week to Week report (@jpcunningh, #4123 ) - Add Loopalyzer report to analyse looping. Visualize your loop (@lixgbg, #3629 #4235 ) - Add predictions support to Day to Day report (@lixgbg, #3179 ) - Add cgm sensor stop to Careportal (@jpcunningh, #4060) ## Removed features - remove `mqtt` module, because it had a security issue and was not used - remove `sgvdata` module, because it had a security issue, added a lot of complexity and wasn't needed (@PieterGit ). Replacement implementation for CSV and TSV export (@sulkaharo ). ## Improvements - Fix MongoDB database insert handling. Log error on inserts and don't crash in case the MongoDB disk is full or MongoDB quota is reached (@sulkaharo and @jpcunningh) - Upgrade packages to recent version, fixing all known security issues with dependencies (@PieterGit) - Redirect redirect HTTP to HTTPS and implement HSTS (@jweismann, @PieterGit, #4044 and #4010 and #4253 ) - Technical improvement: Migrate from `uglify-js` to `terser-webpack-plugin` (@PieterGit) - Streamlined Heroku deployment template with more descriptive text and more appropriate defaults for new users (@unsoluble, #4116 ) ## Bug fixes - Fix CGM voltageb battery warning level to match xDrip+ (@jpcunningh, #3954 ) - Fix daylight saving and reloading bug in profile editor, (@DigitalDan1, @Kywalh #4029 and #4074 ) - Reduce the amount of Profile Switch treatments being loaded to fix UI slowdown and Nightscout home screen losing AAPS data from >3 hours ago, (@sulkaharo, @vickster1, #4055 ) - Upgrade to [share2nightscout 0.2.0](https://github.com/nightscout/share2nightscout-bridge/releases/tag/0.2.0). Prevent Nightscout server crashes in case Dexcom server does not respond (@PieterGit, @veryfancy) - Fix UI so pills are updated immediately after new data is loaded (@sulkaharo) - Fixes to If-Modified-Since HTTP header handling for BG data (@sulkaharo) ## Documentation and language updates - Language updates for Danish, Dutch, German, Hebrew, Norwegian, Russian - New languages: Japanese, Turkish - Update Alexa documentation. Note that some Alexa improvements are postponed to Nightscout 0.12 because the Alexa plugin needs refactoring, see #4168 (comment) - Update IFTTT maker-setup.md docs (@Dave9111, @unsoluble, #4206 ) - Updated various docs, including [CONTRIBUTING](https://github.com/nightscout/cgm-remote-monitor/blob/dev/CONTRIBUTING.md) documentation # Upgrade notes - We only allow Nightscout to start with a secure Node JS. - Latest Node 8 LTS (8.15.0 or later) and Latest Node 10 LTS (10.15.1 or later) are recommended and supported. - Latest Node version on Azure (currently 10.14.0) is tolerated, but not recommended - Other versions will not start - The [rawbg](https://github.com/nightscout/cgm-remote-monitor#rawbg-raw-bg) settings are converted to a single setting tri-state variable. - We improved security and added several new environment variables such as [INSECURE_USE_HTTP and SECURE_HSTS_HEADER](https://github.com/nightscout/cgm-remote-monitor/#predefined-values-for-your-server-settings-optional) - Your site redirects to https by default. If you don't want that or use a Nginx or Apache proxy, set `INSECURE_USE_HTTP` to `true`. - We enabled [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) headers by default, settings `SECURE_HSTS_HEADER` and `SECURE_HSTS_HEADER_*` ## Upgrade notes for Azure users We recommend Azure users consider migrating their hosting to Heroku, as we've observed Heroku users have significantly less issues with having their sites work reliably. If you want to continue using Azure, change the following configuration variables in Azure before updating to the latest Nightscout version: ``` WEBSITE_NODE_DEFAULT_VERSION=10.14.1 SCM_COMMAND_IDLE_TIMEOUT=300 ``` # Install instructions Install instructions can be found: https://github.com/nightscout/cgm-remote-monitor/blob/master/README.md#install # Contributors to this release The release coordination for this release was done by @PieterGit We would like to thank the following people for their contribution (in alphabetical order): @anderser, @apanasef, @balshor, @bewest, @blocklist_twitter, @CaroGo, @cascer1, @cluckj, @danamlewis, @Dave9111, @diabetlum, @herzogmedia, @janrpn, @jasoncalabrese, @jpcunningh, @jweismann, @kenstack, @Kywalh, @lixgbg, @LuminaryXion, @MilosKozak, @mitrei, @PaperT1D, @PieterGit, @unsoluble, @rarneson, @renegadeandy, @scottleibrand, @sulkaharo, @T-o-b-i-a-s, @tynbendad, @unsoluble, @veryfancy, @viq, @wootmasterslick (if I forgot somebody, please respond) # TODO TODO: Translations, Languages with less than 80% will be removed in a future Nightscout version. Currently the following languages are at risk: 中文(繁體) (zh_tw), Hrvatski (hr), Ελληνικά (el), 한국어 (ko) See https://gitter.im/nightscout/public?at=5bef2f34de42d46bba766f66 TODO: Fix Codacy errors, https://app.codacy.com/app/Nightscout/cgm-remote-monitor/issues?bid=2452379&filters=W3siaWQiOiJDYXRlZ29yeSIsInZhbHVlcyI6WyJFcnJvciBQcm9uZSJdfV0= TODO: test dev after all new features are merged for at least two weeks
Sorry Pieter. This one totally slipped my mind until I saw all the activity today. I did simple tests on heroku via curl, cf. below and the 6 cases shown below worked as expected:
heroku config:unset -a hostname INSECURE_USE_HTTP
curl -Ls -w %{url_effective} -o /dev/null http://hostname.herokuapp.com
curl -Ls -w %{url_effective} -o /dev/null https://hostname.herokuapp.com
heroku config:set -a hostname INSECURE_USE_HTTP=true
heroku config --app hostname | grep INSECURE
curl -Ls -w %{url_effective} -o /dev/null http://hostname.herokuapp.com
curl -Ls -w %{url_effective} -o /dev/null https://hostname.herokuapp.com
heroku config:set -a hostname INSECURE_USE_HTTP=false
heroku config --app hostname | grep INSECURE
curl -Ls -w %{url_effective} -o /dev/null http://hostname.herokuapp.com
curl -Ls -w %{url_effective} -o /dev/null https://hostname.herokuapp.com
Would you like the feature added to app.json too ? Is the default as you like or should default be to behave as current implementation ?