Skip to content

[Dashboard] Security #8

New issue
New issue
Open
Open
[Dashboard] Security#8
Assignees
Arrayingmartinmladenov
Labels
enhancementNew feature or requesthelp wantedExtra attention is needed
Milestone
MVP
@Arraying

Description

@Arraying
Arraying
opened on Aug 3, 2022

The dashboard needs to be secure. The following endpoints need to be verified that they are hardened:

  • GET /api/pipelines and GET /api/pipelines/:pid must only expose relevant information.
  • GET /api/pipelines/:pid/config and POST /api/pipelines/:pid/config must only be accessible to assignees.
  • GET /api/runs/:pid/:rid/log and GET /api/runs/:pid/:rid/archived are accessible only if the pipeline is public or the requester is assigned.
  • POST /trigger/:token needs to be widely accessible.

Furthermore, CORS and cookie include needs to be set:

  • When running in production, only allow same origin for mode and cookies in fetch.
  • Otherwise, allow cross origin requests.

Lastly:

  • An instance of the dashboard should be tested against SSLLabs and receive an A+.

Metadata

Metadata

Assignees

Labels

enhancementNew feature or requesthelp wantedExtra attention is needed

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions