Replies: 8 comments 2 replies
-
Proposal of a exchange sequence flows diagram for the REST API: sequenceDiagram
participant C as Client
participant A as REST API
participant O as OSHP GitHub repo
C->>A: Call the service
Note right of C: Specify the target server type
alt Configuration exists in the temporary cache
A->>C: Return the configuration from the cache
else Configuration does not exists in the temporary cache
A->>O: Ask for the recommanded headers configuration data
O->>A: Get data as markdown
A->>A: Process the data and generate corresponding configuration
A->>A: Add the configuration into the temporary cache
A->>C: Return the configuration
end
Cache will be around 4 hours and will be memory only. |
Beta Was this translation helpful? Give feedback.
-
Proposal for the API itself in terms of endpoints: {
"openapi": "3.0.3",
"info": {
"title": "OSHP Configuration Generator API",
"version": "1.0",
"description": "REST API to obtain the latest recommended HTTP response security headers for a specified web/application server."
},
"servers": [
{
"url": "https://oshp-api.owasp.com",
"variables": {}
}
],
"paths": {
"/servers": {
"summary": "List of supported servers",
"get": {
"summary": "Get the list of supported servers",
"description": "Get the list of supported servers",
"operationId": "getSupportedServers",
"responses": {
"200": {
"description": "Default error sample response",
"content": {
"application/json": {
"examples": {
"List of server names": {
"value": "[\"apache\",\"nginx\"]"
}
}
}
}
},
"500": {
"description": "Technical error on server side",
"content": {
"application/json": {
"examples": {
"An error occured": {
"value": {
"error": "An error preventing the correct handling of the request"
}
}
}
}
}
}
}
}
},
"/configuration/{serverName}": {
"summary": "Access to the OSHP recommanded configuration for HTTP response headers",
"get": {
"summary": "Generate the configuration for the specified web/app server name",
"description": "Generate the configuration for the specified web/app server name",
"parameters": [
{
"in": "path",
"name": "serverName",
"schema": {
"type": "string",
"pattern": "^[a-z\\-0-9]+$"
},
"required": true,
"description": "Identifier of the server name for which the configuration is wanted"
}
],
"operationId": "getConfiguration",
"responses": {
"200": {
"description": "Success response case",
"content": {
"text/plain; charset=utf-8": {
"examples": {
"Configuration in text format applicable for the target server": {
"value": "Cross-Origin-Embedder-Policy: require-corp\nCross-Origin-Opener-Policy: same-origin\nCross-Origin-Resource-Policy: same-origin\nPermissions-Policy: accelerometer=(),autoplay=(),camera=(),display-capture=(),document-domain=(),encrypted-media=(),fullscreen=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),publickey-credentials-get=(),screen-wake-lock=(),sync-xhr=(self),usb=(),web-share=(),xr-spatial-tracking=()\nReferrer-Policy: no-referrer\nStrict-Transport-Security: max-age=31536000; includeSubDomains; preload"
}
}
}
}
},
"400": {
"description": "Unsupported server specified",
"content": {
"application/json": {
"examples": {
"Unsupported server name": {
"value": {
"error": "Server name specified is not supported"
}
}
}
}
}
},
"500": {
"description": "Technical error on server side",
"content": {
"application/json": {
"examples": {
"An error occured": {
"value": {
"error": "An error preventing the correct handling of the request"
}
}
}
}
}
}
}
}
}
}
} |
Beta Was this translation helpful? Give feedback.
-
|
It's down now to use Heroku free tier 😢
|
Beta Was this translation helpful? Give feedback.
-
|
Maybe we should check if OWASP can help with this resources. |
Beta Was this translation helpful? Give feedback.
-
|
Yes but after having checked the blog post, I think the the free app seems to be excluded of the update then I will see if I loose my account. |
Beta Was this translation helpful? Give feedback.
-
|
👀 Based on the feedback provided by discussion #9 and as now we provide both JSON files automatically updated, then, I think that a web API is not relevant anymore. 😈 Indeed, I think that a person provisioning a web server will never use blindly an external service to add a config into its server in a fully automated was without any validation. 💡 It is why I think that it can be more useful to provide a little python3 script leveraging the both JSON file to generate configuration code for a set of web servers. In this way, it allows a person to use it and tune it to its environment (Ansible, custom script, ...). ✔ We focus on generating a valid configuration with the recommended headers, no more no less. @riramar What do you think? It is really an open question 😉 |
Beta Was this translation helpful? Give feedback.
-
|
OK let's go into this way. I will keep you posted about the progress 🏗 |
Beta Was this translation helpful? Give feedback.
-
|
Since we don't have the infra I'm fine to proceed with the python script. |
Beta Was this translation helpful? Give feedback.
-
|
I'm working on this project to provide such script... |
Beta Was this translation helpful? Give feedback.
-
|
After thinking to this point. As we provide the headers as a collection of auto-updated JSON files on a stable URL, I think that this tool is not relevant anymore. Indeed, people will use the JSON file inside a script/cookbook to provision their environment. I will make a PR to update the website and pass the project as archived. We can reopen it later if needed... |
Beta Was this translation helpful? Give feedback.
-
Hi leaders/community folks,
I think to an online tool, like the Mozilla SSL Configuration Generator, but for HTTP response headers.
The idea is to allow a company to always have the recommended configuration proposed by OSHP for a specified HTTP server (web or app server).
The Mozilla tool is a pure client side one but I think that one, as a REST API, can be interesting in a context of continuous deployment or dynamic system provisioning to setup a web/app server with the latest recommended HTTP responses headers configuration...
What do you think about this? Do you think that such tools can be useful?
Beta Was this translation helpful? Give feedback.
All reactions