Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fastly: Include security headers for dl #7278

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Fastly: Include security headers for dl #7278

wants to merge 2 commits into from

Conversation

ameukam
Copy link
Member

@ameukam ameukam commented Sep 10, 2024

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Sep 10, 2024
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ameukam

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. area/infra Infrastructure management, infrastructure design, code in infra/ sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra. labels Sep 10, 2024
@ameukam
Copy link
Member Author

ameukam commented Sep 10, 2024

cc @upodroid @BenTheElder

@k8s-ci-robot k8s-ci-robot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Sep 10, 2024
BenTheElder
BenTheElder reviewed Sep 10, 2024
View reviewed changes
Copy link
Member

@BenTheElder BenTheElder left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if we're not doing auth or hosting web authentication this is kind of /shrug?

what's the case where we care if a web browser tries to do cross-origin here?

@ameukam
Copy link
Member Author

ameukam commented Sep 10, 2024

Yes but IMHO it doesn't hurt to have them. We don't know if in the future for examples static pages we host will be become dynamic content.

sftim
sftim reviewed Nov 14, 2024
View reviewed changes
Copy link
Contributor

@sftim sftim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

infra/fastly/terraform/dl.k8s.io/vcl/binaries.vcl
set resp.http.Referrer-Policy = "origin-when-cross-origin";

if (req.protocol == "https") {
set resp.http.Strict-Transport-Security = "max-age=63072000; includeSubDomains";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could add a comment about how we picked the max age.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sftim Done. PTAL

sftim
sftim reviewed Nov 14, 2024
View reviewed changes
Copy link
Contributor

@sftim sftim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/hold

Feel free to unhold after a wait time for folks to cancel it

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 14, 2024
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 14, 2024
@ameukam
Fastly: fix the cache rule for the version markers.
303f93c 
Related:
  - kubernetes#7447

We do not capture the latest-1.txt and stable-1.txt due to the regex
rule define for all the version markers.
@ameukam
Fastly: Include security headers for dl
17c3fe5 
Add Security headers to the VCL service.

Ref:
 - https://web.dev/secure/
 - https://infosec.mozilla.org/guidelines/web_security
Signed-off-by: Arnaud Meukam <[email protected]>
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 15, 2024
@k8s-ci-robot
Copy link
Contributor

New changes are detected. LGTM label has been removed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sftim sftim sftim left review comments

@BenTheElder BenTheElder BenTheElder left review comments

@dims dims Awaiting requested review from dims

@upodroid upodroid Awaiting requested review from upodroid

Assignees

@sftim sftim

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/infra Infrastructure management, infrastructure design, code in infra/ cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ameukam @k8s-ci-robot @BenTheElder @sftim