PIMS-2106: Address WAVA Scan Findings

[LawrenceLau2020]

🎯 Summary

PIMS-2106
It seems that some of the findings of the WAVA report such as "Cookie with Insecure or Improper or Missing SameSite attribute" is out of our control, as these cookies are being sent by the service sending back the response (keycloak, siteminder, etc.)

Changes

• Added security headers based on an existing repo mentioned by Garry in the Jira ticket.
• Modified the content security policy somewhat to allow for requests to unpkg.com, cdnjs.cloudflare so that the map displays correctly.
• Also removed "'Access-Control-Allow-Origin', '*'" as this can potentially be a security issue, please test to see nothing broke.
• This is a preliminary change. Feedback and additional suggestions are welcome!

Testing

• To test you will need to run the react-app and the express-api as docker containers
  docker-compose build pims-app-v2 and docker-compose build pims-api-v2
  and then to run the containers: docker-compose up pims-app-v2 -d

• Once the application is running, you'll need to check the console for any errors, and also make sure everything is working as expected. I did do some testing with the map filter and creating of a project, which seemed to work. You may need to edit the content security policy if some url was missed (eg. an image not loading when it should be)

• This is kind of hard to test, other than making sure everything still works and then merging to dev to let the OWASP scan run in Openshift, but if you have time and want to try you can always try installing the opensource OWASP ZAP scanning tool, running it as a docker container, and follow the instructions mentioned from the documentation here: https://www.zaproxy.org/docs/docker/about/

  • The command I used to scan on a Windows machine was this which did a "baseline" scan: docker run -v C:\zap:/zap/wrk:rw --network="host" ghcr.io/zaproxy/zaproxy:stable bash -c "zap-baseline.py -t http://host.docker.internal:3000 -r /zap/wrk/zap-scan-report.html && sleep 10"
  • I believe the scan in openshift does either a "full" scan: https://www.zaproxy.org/docs/docker/full-scan/ or an "api" scan: https://www.zaproxy.org/docs/docker/api-scan/

• Also, note that currently we are not doing an "in depth" application scan by logging in and testing each of the pages which would involve adding some authentication to the existing OWASP scan and more configuration.

🔰 Checklist

• I have read and agree with the following checklist and am following the guidelines in our Code of Conduct document.

• I have performed a self-review of my code.
• I have commented my code, particularly in hard-to-understand areas.
• I have made corresponding changes to the documentation where required.
• I have tested my changes to the best of my ability.
• My changes generate no new warnings.

[github-actions]

🚀 Deployment Information

The Express API Image has been built with the tag: 2781. Please make sure to utilize this specific tag when promoting these changes to the TEST and PROD environments during the API deployment. For more updates please monitor Image Tags Page on Wiki.

[github-actions]

🚀 Deployment Information

The React APP Image has been built with the tag: 2781. Please make sure to utilize this specific tag when promoting these changes to the TEST and PROD environments during the APP deployment. For more updates please monitor Image Tags Page on Wiki.

[dbarkowsky]

Where is the maps.googleapis.com used?

[LawrenceLau2020]

Good catch, that was probably copied and pasted from the other repo. I can remove it.

[dbarkowsky]

Not sure how this still works with localhost. Doesn't seem to impede it, but it's not https there.

[dbarkowsky]

Everything seems to work in local. Let's see how it affects DEV.