From febee2bcf687c8a104616917dec24534f1a1c1cc Mon Sep 17 00:00:00 2001 From: Mickael E Date: Mon, 14 Jan 2019 10:34:16 -0500 Subject: [PATCH] Allow ETag headers for Journalist Interface ETags are useful to the journalist API to ensure file integrity, and in the future would allow file download resumption. Disabling ETags is a defense against information leakage https://nvd.nist.gov/vuln/detail/CVE-2003-1418. Since inodes are no longer included by Apache by default, since 2.3.14, that Apache only exposes filesize and MTime by default (information readily available on the Journalist interface, that the Journalist Interface is behind ATHS, it should be safe to re-enable ETags on the journalist interface only. --- .../roles/app/templates/sites-available/journalist.conf | 1 - .../staging/app/apache/test_apache_journalist_interface.py | 1 - 2 files changed, 2 deletions(-) diff --git a/install_files/ansible-base/roles/app/templates/sites-available/journalist.conf b/install_files/ansible-base/roles/app/templates/sites-available/journalist.conf index 6dec14bec4..3beeec1418 100644 --- a/install_files/ansible-base/roles/app/templates/sites-available/journalist.conf +++ b/install_files/ansible-base/roles/app/templates/sites-available/journalist.conf @@ -31,7 +31,6 @@ Header set X-Content-Type-Options: nosniff Header set X-Download-Options: noopen Header set X-Content-Security-Policy: "default-src 'self'" Header set Content-Security-Policy: "default-src 'self'" -Header unset Etag # Limit the max submitted size of requests. LimitRequestBody 524288000 diff --git a/molecule/testinfra/staging/app/apache/test_apache_journalist_interface.py b/molecule/testinfra/staging/app/apache/test_apache_journalist_interface.py index 71f0b22efb..cc1a5341a8 100644 --- a/molecule/testinfra/staging/app/apache/test_apache_journalist_interface.py +++ b/molecule/testinfra/staging/app/apache/test_apache_journalist_interface.py @@ -16,7 +16,6 @@ "Header set X-Content-Security-Policy: \"default-src 'self'\"", "Header set Content-Security-Policy: \"default-src 'self'\"", 'Header set Referrer-Policy "no-referrer"', - 'Header unset Etag', ]