Comments (10)
- might in general be a good idea to go through the OWASP Cheat Sheets
from gae-init.
Mark all handlers
in app.yaml
with secure: always
to ensure that the users can only access the application over HTTPS. When developers turn that off... they are on their own. See https://cloud.google.com/appengine/docs/python/config/appconfig#Python_app_yaml_Secure_URLs
from gae-init.
Thatta way: no need for a https-only, HSTS or flask-sslify approach in my opinion (and experience); and we could enforce it in the default configuration, perhaps putting a warning in Docs for those developers that turn it off (though all web developers should know that HTTP based account/pw logins are evil ;-)
from gae-init.
the secure: always
might be an option... in the section they even mention how to deal with versions... but it needs some considerations:
- thinking about this option made me realize that in order to do it right even static stuff (especially js) should be https (otherwise it can be used to inject js that for example makes a post go to http first). But then as we use scheme based URIs it shouldn't matter as soon as all HTML is served via HTTPS, as everything else is loaded from it (so while in theory one could directly load the static js via http the clients will never do, so the attack vector should be gone)
- external links to http://version.appname.appspot.com won't auto redirect to https://version-dot-appname.appspot.com it seems, so we would loose the ability to take care of that
- the
http_headers
directive doesn't seem to allow setting the HSTS headers for traffic that goes to a script. Effectively this means that if we want HSTS we would need decorators / flask-sslify anyhow.
The more i think about this, the more i like the flask-sslify approach, maybe a bit tweaked for the version https links and dev-server http only... that way everything would be served as https by default, making the whole thing pretty secure by default and we wouldn't need to modify / prefix anything with ssl_required
decorators or anything...
So question: do we want https for everything or not?
from gae-init.
While I understand all these issues the cleanest solution would be just update the app.yaml
as @mdxs already mentioned when the app is ready and all the custom domains are SSL enabled.. so I'm not sure if I want to overcomplicate and add after all this logic for hybrid solutions..
P.S. Not discarded but dealing with other issues at the moment and don't want to rush with this one.. where were you when the email auth branch was still under dev :P I think the PhD is taking too much of your time :D
from gae-init.
well, two things that adding secure: always
to all handlers in app.yaml
can't do are:
- HSTS
- properly redirecting http://version.app.appspot.com to https://version-dot-app.appspot.com (this is probably not a big deal for new apps but e.g. for all the linked gae-init.appspot.com tests and docs it might get problematic)
still it's a rather small change and it would be pretty secure already...
from gae-init.
well, i invested quite some time in this already while there seems to be little agreement.
The current state is so damn insecure by default that it hurts.
So just add secure: always
to all handlers in app.yaml
and make it fast! Then it should be pretty secure by default.
HSTS would be nice, but can (and still should) be added later.
from gae-init.
2df0f83 :D 👯 💃
for the docs and other gae-init examples I will not use the https for now and most likely disable the custom login at least :) These custom versions are a bit outdated.. but will come back to them..!!
from gae-init.
👍 thanks
from gae-init.
🔒 👯 🔐
from gae-init.
Related Issues (20)
- Google login is not working (not GAE) HOT 1
- AttributeError: 'module' object has no attribute 'get_dbs'
- gulp-help is a blocker to upgrading to gulp4 HOT 2
- Yarn doesn't work with Node v12 HOT 3
- Use of memcache is a blocker to Python 3.7 migration HOT 5
- Trouble running gulp for local testing with grpcio in app.yaml HOT 4
- Can't import numpy HOT 7
- Error with virtualenv unrecognized argument during yarn install
- Requirement for email_validator on local test run not satisfied? HOT 4
- Race condition in deploy vs creation of lib.zip HOT 2
- Inconsistencies in gulpfile task descriptions HOT 3
- Add Twitch Login
- Upgrade to Font Awesome 5
- plan to update to python 3? HOT 1
- Moment.js is a legacy project HOT 1
- Dependabot couldn't authenticate with https://pypi.python.org/simple/
- Import error with latest changes HOT 1
- Travis not running
- Improve cleanup in development HOT 1
- gae-init.appspot.com is down
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gae-init.