OWASP criteria - Auth REST/API

c4ss2 · February 8, 2022, 5:44pm

Hi,

We have had some OWASP testing performed on our kirby installation as a requirement for one of our jobs. We’ve managed to pass everything apart from this “low” risk issue:

cache-control: no-store (main site)
The API for the login process (/api/auth/login) does not have cache-control set.

What’s the best way to do this, is there a simple config property to set a cache-control on the API auth endpoint? Would it just be an .htaccess / php header() thing rather than kirby itself?

lukasbestle · February 9, 2022, 8:23pm

Congrats on the (almost) passed test.

It isn’t possible to set headers just for one endpoint via a configuration option. You can however use something like this in your config.php:

if (Str::startsWith($_SERVER['REQUEST_URI'], '/api/')) {
    header('Cache-Control: no-store');
}

I consider the missing header a bug in Kirby and have created a pull request to fix this:

github.com/getkirby/kirby

Use headers from global response for `Response` objects

getkirby:develop ← getkirby:fix/app-io-response-headers

opened 08:17PM - 09 Feb 22 UTC

lukasbestle

+32 -4

## Describe the PR  API responses with an active session depend on the user who requested them. For better reliability and also security, intermediary caches must not cache API responses. `$kirby->session()` already sets a `Cache-Control: no-store` header for dynamic responses, but that was so far not respected by the API (which returns its own custom `Response` object). ## Release notes  ### Bug fixes - API responses now contain the `Cache-Control: no-store` header like other responses with an active session. - The globally configured headers from `$kirby->response()` are now also respected when a route returns a full `Response` object. ## Breaking changes  The `charset` of the `Response` object is not carried through as our `Responder` class doesn't support this property. We use this property nowhere in our own code and I suspect no user or plugin does so either. Do you think we should still move this PR to 3.7.0? Alternatively we can add support for `charset` to `Responder`, but in the long term I think we should rather deprecate support in `Response`. So I think we can merge this PR for 3.6.3. ## Related issues/ideas  - Fixes https://forum.getkirby.com/t/owasp-criteria-auth-rest-api/24690. ## Ready?  - [x] Unit tests for fixed bug/feature - [x] In-code documentation (wherever needed) - [x] CI checks pass  ## When merging - [x] ~Add to [website docs release checklist](https://github.com/getkirby/getkirby.com/pulls) (if needed)~ - [ ] Add changes to release notes draft in Notion

Thanks for your input! Results from external security audits are always really helpful to us. In the future, please send us security-related information via email. In this case it wasn’t a vulnerability, but better safe than sorry.

lukasbestle · April 16, 2022, 11:00am

@c4ss2 The bug of the missing Cache-Control header for API responses will be fixed in Kirby 3.6.5.

Topic		Replies	Views
500 when disabling cache for logged users Questions 🤔 cache	4	730	February 1, 2018
Set-Cookie twice? Questions 🤔	3	1575	June 12, 2017
Issues hosting kirby on webspace Solved ✅	2	685	March 6, 2017
API Auth without Cookies Solved ✅	2	275	September 8, 2021
Passwordless login and API Solved ✅	7	637	October 16, 2021

OWASP criteria - Auth REST/API

Related Topics