Security headers

[georgev-97]

What product are you having troubles with?

Console

What Console version are you using?

13

Description

Hello,

Is it possible to configure predefined security headers (e.g., HSTS, X-Frame-Options, Content-Security-Policy, etc.) to be automatically included in each response? Typically, this can be achieved by modifying the nginx.conf file.

Thank you

Actual Outcome

No response

Expected Outcome

No response

[malta895]

Hi @georgev-97,
if your project uses Nginx, you should be able to achieve what you need by adding the headers to the root-location-extension.conf file under the api-gateway Advanced configurations of your project.

You can add the headers with the nginx add_header command, like in the following example:

add_header 'Some-Header' 'value' always;

Please let me know if this fixes your issue!

[georgev-97]

Hi,

thank you for the answer, it is what I was looking for.
Can i also disable the support to TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009D) from there?
Is there a documentation I can check?

Thanks

[fredmaggiowski]

Hi @georgev-97 as for security headers: what API Gateway version are you working with? With version 5.0.2 security headers should be included by default (I just noticed that the version was actually missing from the documentation changelog andr triggered the doc update: mia-platform/documentation#1708)

I'm wondering whether you are using an older version or there is a bug with the 5.0.2. If you want to try and update you could avoid using advanced configurations :)

[georgev-97]

I am using api-gateway version 5.0.2. Could the issue be related to the fact that the request and the response are being proxied by an Envoy API Gateway (envoyproxy/envoy:v1.21.1)?

[fredmaggiowski]

So, just to make sure I've got the architecture properly laid out in my mind: you have a project running the Nginx API Gateway that is proxied by another project running the Envoy API Gateway

sequenceDiagram

participant client
participant envoy
participant nginx

client->>envoy: invoke api

envoy->>nginx: proxy api

nginx->>nginx: prepare security headers

nginx-->>envoy: send security headers

note over envoy: here headers are dropped?

envoy-->>client: no security headers sent

Loading

Is this correct?

Did @malta895 answer above make things work? or is the behaviour the same one? Can you invoke the nginx api directly and see whether headers are actually sent or not?