Add X-XSS-Protection HTTP Header for RASA Core server request- http://<hostname>:5005
See original GitHub issueDescription of Problem:
This feature is needed to address cross site scripting security vulnerabilities and other headers as per need. https://forum.rasa.com/t/add-x-xss-protection-http-header-for-rasa-core-server-request-http-hostname-5005/20741?u=arunabh09
Overview of the Solution:
A possible solution which I have implemented is to modify the run.py file which uses sanic server implementation.
@app.middleware('response')
async def prevent_xss(request, response):
response.headers["x-xss-protection"] = "1; mode=block"
In this way, you can add any other HTTP header as per security requirement. Examples (if relevant):
Reference: https://sanic.readthedocs.io/en/latest/sanic/middleware.html Blockers (if relevant): None
Definition of Done: Either enable critical security headers within RASA Core code (run.py) or configure an argument to easily enable/configure HTTP headers without the need for an end user to modify run.py file.
Issue Analytics
- State:
- Created 4 years ago
- Comments:7 (4 by maintainers)
Top GitHub Comments
But what would the injected script do? Also the status endpoint is nothing which you would typically access with your browser (and only browsers process this headers).
The reverse proxy settings can’t change the fact that your server exposes port 5005. I think the header is not the issue, but rather the fact that you should run a firewall.
Thanks for submitting this feature request 🚀@wochinge will get back to you about it soon!✨