Our security scanner got below DAST issues:
Can below fixed from grafana/loki server side,
Grafana version 10.4.2
grafana 2.9.7
Both for Loki and grafana endpoint.
Missing “Content-Security-Policy” header
Missing or insecure “X-Content-Type-Options” header
Missing or insecure HTTP Strict-Transport-Security
Missing “Referrer policy” Security Header
Missing “Content-Security-Policy” header
Reasoning: AppScan detected that the Content-Security-Policy response header is missing or with an insecure policy, which increases exposure to various cross-site injection attacks
Test Requests and Responses:
GET / HTTP/1.1
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Host: loki-sgi.platform.saas.ibm.com
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 Content-Length: 0
HTTP/1.1 200 OK
Date: Mon, 17 Jun 2024 01:35:38 GMT
Content-Type: application/octet-stream
Content-Length: 2
Connection: keep-alive
CF-Cache-Status: DYNAMIC
Server: cloudflare
CF-RAY: 894f4ddb4f37829f-IAD
Set-Cookie: 2dd7ffe3e648bc0f3a47034a7978800f=eaca6a1d14d07a9047079d750e499937; path=/; HttpOnly; Secure; SameSite=None
OK
Missing or insecure “X-Content-Type-Options” header
Reasoning: AppScan detected that the "X-Content-Type-Options" response header is missing or has an insecure value, which increases exposure to drive-by download attacks
Test Requests and Responses:
GET / HTTP/1.1
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Host: loki-sgi.platform.saas.ibm.com
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 Content-Length: 0
HTTP/1.1 200 OK
Date: Mon, 17 Jun 2024 01:34:52 GMT
Content-Type: application/octet-stream
Content-Length: 2
Connection: keep-alive
CF-Cache-Status: DYNAMIC
Server: cloudflare
CF-RAY: 894f4cbc5b8b38a3-IAD
Set-Cookie: 2dd7ffe3e648bc0f3a47034a7978800f=3b4e4248c169e6d9fce96caac7b9f538; path=/; HttpOnly; Secure; SameSite=None
OK
Missing or insecure HTTP Strict-Transport-Security
Reasoning: AppScan detected that the HTTP Strict-Transport-Security response header is missing or with insufficient "max-age"
Test Requests and Responses:
GET / HTTP/1.1
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Host: loki-sgi.platform.saas.ibm.com
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 Content-Length: 0
HTTP/1.1 200 OK
Date: Mon, 17 Jun 2024 01:34:52 GMT
Content-Type: application/octet-stream
Content-Length: 2
Connection: keep-alive
CF-Cache-Status: DYNAMIC
Server: cloudflare
CF-RAY: 894f4cbc5b8b38a3-IAD
Set-Cookie: 2dd7ffe3e648bc0f3a47034a7978800f=3b4e4248c169e6d9fce96caac7b9f538; path=/; HttpOnly; Secure; SameSite=None
OK
Missing “Referrer policy” Security Header
Reasoning: AppScan detected that the Referrer Policy Response header is missing or with an insecure policy, which increases exposure to various cross-site injection attacks
Test Requests and Responses:
GET / HTTP/1.1
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Host: loki-sgi.platform.saas.ibm.com
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 Content-Length: 0
HTTP/1.1 200 OK
Date: Mon, 17 Jun 2024 01:34:18 GMT
Content-Type: application/octet-stream
Content-Length: 2
Connection: keep-alive
CF-Cache-Status: DYNAMIC
Server: cloudflare
CF-RAY: 894f4be6d93e9c3c-IAD
Set-Cookie: 2dd7ffe3e648bc0f3a47034a7978800f=9ac3d0966558598165f2d8a39ff43225; path=/; HttpOnly; Secure; SameSite=None
OK