From 2a9d6ea92cf723a22142dfe0cf9d393fee60b8a5 Mon Sep 17 00:00:00 2001
From: Umair Fayaz <omayrfayaz@gmail.com>
Date: Mon, 3 Apr 2023 12:59:18 +0530
Subject: [PATCH 1/6] BAH-2960 | Add missing security headers

---
 templates/ingress.yaml | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/templates/ingress.yaml b/templates/ingress.yaml
index f9e06986..6ad94c8d 100644
--- a/templates/ingress.yaml
+++ b/templates/ingress.yaml
@@ -6,7 +6,18 @@ metadata:
     environment: {{ .Values.metadata.labels.environment }}
   annotations:
     nginx.ingress.kubernetes.io/configuration-snippet: |
-      add_header  X-Frame-Options "SAMEORIGIN";
+      add_header Cache-Control "no-store, max-age=0";
+      add_header Content-Security-Policy "upgrade-insecure-requests; block-all-mixed-content";
+      add_header Cross-Origin-Embedder-Policy "require-corp";
+      add_header Cross-Origin-Opener-Policy "same-origin";
+      add_header Cross-Origin-Resource-Policy "same-origin";
+      add_header Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),battery=(),camera=(),display-capture=(),document-domain=(),encrypted-media=(),fullscreen=(),gamepad=(),geolocation=(),gyroscope=(),layout-animations=(self),legacy-image-formats=(self),magnetometer=(),microphone=(),midi=(),oversized-images=(self),payment=(),picture-in-picture=(),publickey-credentials-get=(),speaker-selection=(),sync-xhr=(self),unoptimized-images=(self),unsized-media=(self),usb=(),screen-wake-lock=(),web-share=(),xr-spatial-tracking=()";
+      add_header Pragma "no-cache";
+      add_header Referrer-Policy "no-referrer";
+      add_header Strict-Transport-Security "max-age=31536000 ; includeSubDomains";
+      add_header X-Content-Type-Options "nosniff";
+      add_header X-Frame-Options "deny";
+      add_header X-Permitted-Cross-Domain-Policies "none";
     nginx.ingress.kubernetes.io/proxy-body-size: {{ .Values.metadata.ingress.PROXY_BODY_SIZE }}
 spec:
   ingressClassName: nginx

From ef105e9348ceac9f32cac92eda2995f9cfe0a825 Mon Sep 17 00:00:00 2001
From: Umair Fayaz <omayrfayaz@gmail.com>
Date: Mon, 3 Apr 2023 14:56:11 +0530
Subject: [PATCH 2/6] BAH-2960 | Change Referer-Policy to same-origin

---
 templates/ingress.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/ingress.yaml b/templates/ingress.yaml
index 6ad94c8d..431bece1 100644
--- a/templates/ingress.yaml
+++ b/templates/ingress.yaml
@@ -13,7 +13,7 @@ metadata:
       add_header Cross-Origin-Resource-Policy "same-origin";
       add_header Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),battery=(),camera=(),display-capture=(),document-domain=(),encrypted-media=(),fullscreen=(),gamepad=(),geolocation=(),gyroscope=(),layout-animations=(self),legacy-image-formats=(self),magnetometer=(),microphone=(),midi=(),oversized-images=(self),payment=(),picture-in-picture=(),publickey-credentials-get=(),speaker-selection=(),sync-xhr=(self),unoptimized-images=(self),unsized-media=(self),usb=(),screen-wake-lock=(),web-share=(),xr-spatial-tracking=()";
       add_header Pragma "no-cache";
-      add_header Referrer-Policy "no-referrer";
+      add_header Referrer-Policy "same-origin";
       add_header Strict-Transport-Security "max-age=31536000 ; includeSubDomains";
       add_header X-Content-Type-Options "nosniff";
       add_header X-Frame-Options "deny";

From e26dfb182db1062989584f859fc9583f46edddbe Mon Sep 17 00:00:00 2001
From: Umair Fayaz <omayrfayaz@gmail.com>
Date: Mon, 3 Apr 2023 16:04:32 +0530
Subject: [PATCH 3/6] BAH-2960 | Changed  X-Frame-Options to SAMEORIGIN

---
 templates/ingress.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/ingress.yaml b/templates/ingress.yaml
index 431bece1..daf6fb05 100644
--- a/templates/ingress.yaml
+++ b/templates/ingress.yaml
@@ -16,7 +16,7 @@ metadata:
       add_header Referrer-Policy "same-origin";
       add_header Strict-Transport-Security "max-age=31536000 ; includeSubDomains";
       add_header X-Content-Type-Options "nosniff";
-      add_header X-Frame-Options "deny";
+      add_header X-Frame-Options "SAMEORIGIN";
       add_header X-Permitted-Cross-Domain-Policies "none";
     nginx.ingress.kubernetes.io/proxy-body-size: {{ .Values.metadata.ingress.PROXY_BODY_SIZE }}
 spec:

From 58d2c1dc5a46dc411fcad6a8f0500016e9afc723 Mon Sep 17 00:00:00 2001
From: Umair Fayaz <omayrfayaz@gmail.com>
Date: Tue, 4 Apr 2023 11:05:25 +0530
Subject: [PATCH 4/6] BAH-2960 | Allow camera, display-capture, fullscreen,
 microphone, picture-in-picture

---
 templates/ingress.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/ingress.yaml b/templates/ingress.yaml
index daf6fb05..56667a4d 100644
--- a/templates/ingress.yaml
+++ b/templates/ingress.yaml
@@ -11,7 +11,7 @@ metadata:
       add_header Cross-Origin-Embedder-Policy "require-corp";
       add_header Cross-Origin-Opener-Policy "same-origin";
       add_header Cross-Origin-Resource-Policy "same-origin";
-      add_header Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),battery=(),camera=(),display-capture=(),document-domain=(),encrypted-media=(),fullscreen=(),gamepad=(),geolocation=(),gyroscope=(),layout-animations=(self),legacy-image-formats=(self),magnetometer=(),microphone=(),midi=(),oversized-images=(self),payment=(),picture-in-picture=(),publickey-credentials-get=(),speaker-selection=(),sync-xhr=(self),unoptimized-images=(self),unsized-media=(self),usb=(),screen-wake-lock=(),web-share=(),xr-spatial-tracking=()";
+      add_header Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),battery=(),document-domain=(),encrypted-media=(),gamepad=(),geolocation=(),gyroscope=(),layout-animations=(self),legacy-image-formats=(self),magnetometer=(),midi=(),oversized-images=(self),payment=(),publickey-credentials-get=(),speaker-selection=(),sync-xhr=(self),unoptimized-images=(self),unsized-media=(self),usb=(),screen-wake-lock=(),web-share=(),xr-spatial-tracking=()"
       add_header Pragma "no-cache";
       add_header Referrer-Policy "same-origin";
       add_header Strict-Transport-Security "max-age=31536000 ; includeSubDomains";

From 28e7dbf375037f486d9edd8d0f4e97f873af7a59 Mon Sep 17 00:00:00 2001
From: Umair Fayaz <omayrfayaz@gmail.com>
Date: Tue, 4 Apr 2023 11:35:58 +0530
Subject: [PATCH 5/6] BAH-2960 | Set Secure flag on all cookies

---
 templates/ingress.yaml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/templates/ingress.yaml b/templates/ingress.yaml
index 56667a4d..5c762588 100644
--- a/templates/ingress.yaml
+++ b/templates/ingress.yaml
@@ -11,14 +11,16 @@ metadata:
       add_header Cross-Origin-Embedder-Policy "require-corp";
       add_header Cross-Origin-Opener-Policy "same-origin";
       add_header Cross-Origin-Resource-Policy "same-origin";
-      add_header Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),battery=(),document-domain=(),encrypted-media=(),gamepad=(),geolocation=(),gyroscope=(),layout-animations=(self),legacy-image-formats=(self),magnetometer=(),midi=(),oversized-images=(self),payment=(),publickey-credentials-get=(),speaker-selection=(),sync-xhr=(self),unoptimized-images=(self),unsized-media=(self),usb=(),screen-wake-lock=(),web-share=(),xr-spatial-tracking=()"
+      add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), layout-animations=self, legacy-image-formats=self, magnetometer=(), midi=(), oversized-images=self, payment=(), publickey-credentials-get=(), speaker-selection=(), sync-xhr=self, unoptimized-images=self, unsized-media=self, usb=(), screen-wake-lock=(), web-share=(), xr-spatial-tracking=()";
       add_header Pragma "no-cache";
       add_header Referrer-Policy "same-origin";
       add_header Strict-Transport-Security "max-age=31536000 ; includeSubDomains";
       add_header X-Content-Type-Options "nosniff";
       add_header X-Frame-Options "SAMEORIGIN";
       add_header X-Permitted-Cross-Domain-Policies "none";
+      add_header Set-Cookie "Path=/; HttpOnly; Secure";
     nginx.ingress.kubernetes.io/proxy-body-size: {{ .Values.metadata.ingress.PROXY_BODY_SIZE }}
+    nginx.ingress.kubernetes.io/secure-backends: "true"
 spec:
   ingressClassName: nginx
   rules:

From 6aa62cb22e8a669981ecf3835b00994417f1ac02 Mon Sep 17 00:00:00 2001
From: Umair Fayaz <omayrfayaz@gmail.com>
Date: Wed, 5 Apr 2023 16:42:57 +0530
Subject: [PATCH 6/6] BAH-2960 | Change cache-control header to no-cache

---
 templates/ingress.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/ingress.yaml b/templates/ingress.yaml
index 5c762588..4a461193 100644
--- a/templates/ingress.yaml
+++ b/templates/ingress.yaml
@@ -6,7 +6,7 @@ metadata:
     environment: {{ .Values.metadata.labels.environment }}
   annotations:
     nginx.ingress.kubernetes.io/configuration-snippet: |
-      add_header Cache-Control "no-store, max-age=0";
+      add_header Cache-Control "no-cache, max-age=0";
       add_header Content-Security-Policy "upgrade-insecure-requests; block-all-mixed-content";
       add_header Cross-Origin-Embedder-Policy "require-corp";
       add_header Cross-Origin-Opener-Policy "same-origin";