-
Notifications
You must be signed in to change notification settings - Fork 444
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cache-Control HTTP header for server endpoints #1471
base: master
Are you sure you want to change the base?
Conversation
I checked out the CI test failure (see excerpt from logs below). Since this particular failure is present in some other recent CI runs and isn't related to my changes, I'll just continue to wait for feedback.
|
Hey @kippmorris7, you're right about the CI issue. I fixed it yesterday with #1464. If you merge the latest master, yours will run OK too. |
4d3f79a
to
65b344c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Webhook create and update responses contain secrets and should not be cached.
Provisioner responses never contain sensitive data.
ACME responses contain some data that may be considered sensitive. I'm not certain how to treat these.
65b344c
to
0ea85e3
Compare
Thank you for the review, @areed ! After looking back over my work, I agree that we can remove the header in most of the places you pointed out, but I think we still need it on the provisioner responses. |
@kippmorris7 This is the type used for webhooks when they appear in provisioners. The secret and credentials are always omitted. |
I see. In that case I understand why we can remove the header from
With this in mind, it seems to me that in |
Yes, you're right. |
0ea85e3
to
e15db84
Compare
Cool, I removed the header from two of the provisioner responses and left it on the others like we discussed. We still need to address the ACME endpoints. Having done my reading, I'm ready to remove them based on my own understanding, but I wasn't clear on whether you were waiting for a third opinion first. |
After reviewing the security considerations of the token I'm comfortable removing the headers for ACME endpoints also. |
e15db84
to
48e72eb
Compare
scep/api/api.go
Outdated
@@ -359,6 +359,7 @@ func writeResponse(w http.ResponseWriter, res Response) { | |||
} | |||
|
|||
w.Header().Set("Content-Type", contentHeader(res)) | |||
w.Header().Set("Cache-Control", "private, no-store") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@hslatman Would the SCEP response data ever contain sensitive information? From what I can tell it's either a certificate or a list of capabilities and would never contain the challenge secret.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any secrets are encrypted before being sent to the CA, and not returned to clients, so no obvious sensitive information is leaked. There's some bits of SCEP transaction related information that can be extracted, such as transaction ID and nonces, but I don't think these leak information; at least not directly.
While some responses to GET requests could be cached for a specific amount of time (e.g. GetCACert
, GetCACaps
), I feel responses to POST requests must not be cached. The last (informational) SCEP RFC doesn't say much about caching, only that it has caused issues in the past with large requests and when requests weren't actually idempotent.
We currently support and signal the more modern POSTPKIOperation
(via POST), so clients generally don't send the large GET requests. The responses for POST requests contain client specific results and are unlikely to be fully idempotent, so IMO shouldn't be cached.
In terms of interoperability: I would have to take a look at other SCEP servers if they ever set cache headers. I think clients should simply ignore them when they don't understand them or can't do anything with them, but SCEP being legacy, there's a lot of old systems that may be doing weird things.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kippmorris7 Let's remove this one and then the PR will be good to merge.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've removed it. To double check my understanding, why did you decide against keeping the headers on the POST responses?
I'm glad this is finally being addressed; thank you @kippmorris7 ! |
48e72eb
to
2b8a417
Compare
…s that respond with sensitive info. Fixes smallstep#793
2b8a417
to
31ddf65
Compare
Hey everyone, I just rebased since it's been a while. Is there anything else you'd like me to take another look at before this is ready to merge? |
Add
Cache-Control: private, no-store
HTTP header to server endpoints that respond with sensitive info.Fixes #793
I decided which endpoints to add the header to by investigating each endpoint and the data it returns.
Please let me know if it would be a good idea to update or add tests to check for the new header where needed. My own judgment as of the time of opening this PR was to not update the tests because 1) existing tests aren't checking HTTP response headers from what I saw and 2) I felt like the addition of a header might be too trivial to be worth adding new test code.