Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Add X-XSS-Protection HTTP Header for RASA Core server request- http://<hostname>:5005

See original GitHub issue

Description of Problem:

This feature is needed to address cross site scripting security vulnerabilities and other headers as per need. https://forum.rasa.com/t/add-x-xss-protection-http-header-for-rasa-core-server-request-http-hostname-5005/20741?u=arunabh09

Overview of the Solution:

A possible solution which I have implemented is to modify the run.py file which uses sanic server implementation.

@app.middleware('response')
async def prevent_xss(request, response):
	response.headers["x-xss-protection"] = "1; mode=block"

In this way, you can add any other HTTP header as per security requirement. Examples (if relevant):

Reference: https://sanic.readthedocs.io/en/latest/sanic/middleware.html Blockers (if relevant): None

Definition of Done: Either enable critical security headers within RASA Core code (run.py) or configure an argument to easily enable/configure HTTP headers without the need for an end user to modify run.py file.

Issue Analytics

State:
Created 4 years ago
Comments:7 (4 by maintainers)

Top GitHub Comments

1reaction

wochingecommented, Nov 7, 2019

The issue was reported by Qualys vulnerability scan tool which basically scans for all the open ports on the Linux server irrespective of exterior security configurations like firewall.

But what would the injected script do? Also the status endpoint is nothing which you would typically access with your browser (and only browsers process this headers).

Also, I did try using Apache reverse proxy settings as mentioned in the forum post, I was able to redirect 5005 request to 9090 Apache but 5005 was still open and the scan reports complained about missing XSS headers for 5005.

The reverse proxy settings can’t change the fact that your server exposes port 5005. I think the header is not the issue, but rather the fact that you should run a firewall.

1reaction

sara-taggercommented, Nov 6, 2019

Thanks for submitting this feature request 🚀@wochinge will get back to you about it soon!✨

Top Results From Across the Web

Add X-XSS-Protection HTTP Header for RASA Core server ...

Hi, I want to add some security header to the request -http://:5005. I have set up an Apache reverse proxy at port 9090,...

How to add default security headers in ASP.NET Core using ...

In this post I'm going to show how you can easily extend the existing middleware to add your own security headers to requests....

HTTP security headers: An easy way to harden your web ...

Modern browsers support a wide array of HTTP headers that can improve web application security to protect against clickjacking, cross-site ...

Adding HTTP Headers to improve Security in an ASP.NET ...

This article shows how to add headers in a HTTPS response for an ASP.NET Core MVC application. The HTTP headers help protect against...

Securing your Rasa REST Channel - Medium

There is a mention that you can secure the API endpoint using JWT authentication. However this security consideration is to protect the APIs...

Troubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.

Start Free

Top Related Reddit Thread

No results found

Top Related Tweet

No results found

Top Related Dev.to Post

No results found

Add X-XSS-Protection HTTP Header for RASA Core server request- http://<hostname>:5005

Issue Analytics

Top GitHub Comments

Top Results From Across the Web

Top Related Medium Post

Top Related StackOverflow Question

Troubleshoot Live Code

Top Related Reddit Thread

Top Related Hackernoon Post

Top Related Tweet

Top Related Dev.to Post

Top Related Hashnode Post

Learning with real already chatted (by bots or humans) dialogues

Don't show OOV warnings for intents/responses