Resolve "Implement HSTS / Envoy Default Security Headers Filter"
General MR
Summary
Adds a default EnvoyFilter to increase the security of the Istio cluster adding the following headers to all gateway-enabled Virtual Services.
- Strict-Transport-Security: max-age=31536000; includeSubDomains
- X-Frame-Options: SAMEORIGIN
- X-Content-Type-Options: nosniff
- Referrer-Policy: strict-origin
Relevant logs/screenshots
✅ alertmanager.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains
✅ anchore-api.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains
✅ anchore.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains
✅ argocd.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains
✅ chat.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains
✅ containers.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains
✅ fortify.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains
✅ gitlab.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains
✅ grafana.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains
✅ harbor.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains
✅ holocron.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubdomains;
✅ kiali.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains
✅ kibana.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains
✅ loki.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains
✅ minio-api.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains
✅ minio.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains
✅ neuvector.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains
✅ nexus.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains
✅ prometheus.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains
✅ registry.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains
✅ sonarqube.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains;
✅ tempo.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains
✅ thanos.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains
✅ thanos-minio.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains
✅ tracing.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains
✅ twistlock.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomains
✅ vault.dev.bigbang.mil --> strict-transport-security: max-age=31536000; includeSubDomainsBig Bang test runs here: big-bang/bigbang!5293 (closed) . The upgrade fails with all-packages, but that seems to be a CI issue. I successfully upgraded a cluster from release 2.38.0 to this branch.
Linked Issue
For #239 (closed)
Upgrade Notices
This release adds a default EnvoyFilter to increase the security of the Istio cluster. This filter -- which defaults to enabled -- can be disabled using e.g. istio.Values.defaultSecurityHeaders.enabled: false. The filter will add the following HTTP headers when the back-end service does not already provide the header.
- Strict-Transport-Security: max-age=31536000; includeSubDomains
- X-Frame-Options: SAMEORIGIN
- X-Content-Type-Options: nosniff
- Referrer-Policy: strict-origin
In the event these additional headers cause issues with any deployment, you can disable the filter and reach out to the Big Bang team.
Merge request reports
Activity
changed milestone to %2.39.0
added istio statusdoing labels
assigned to @michaelmartin
added all-packages label
removed all-packages label
added teamService Mesh label