The dashboard needs to be secure. The following endpoints need to be verified that they are hardened: - [ ] `GET /api/pipelines` and `GET /api/pipelines/:pid` must only expose relevant information. - [ ] `GET /api/pipelines/:pid/config` and `POST /api/pipelines/:pid/config` must only be accessible to assignees. - [ ] `GET /api/runs/:pid/:rid/log` and `GET /api/runs/:pid/:rid/archived` are accessible only if the pipeline is public or the requester is assigned. - [ ] `POST /trigger/:token` needs to be widely accessible. Furthermore, CORS and cookie include needs to be set: - [ ] When running in production, only allow same origin for `mode` and `cookies` in `fetch`. - [ ] Otherwise, allow cross origin requests. Lastly: - [x] An instance of the dashboard should be tested against SSLLabs and receive an A+.
The dashboard needs to be secure. The following endpoints need to be verified that they are hardened:
GET /api/pipelinesandGET /api/pipelines/:pidmust only expose relevant information.GET /api/pipelines/:pid/configandPOST /api/pipelines/:pid/configmust only be accessible to assignees.GET /api/runs/:pid/:rid/logandGET /api/runs/:pid/:rid/archivedare accessible only if the pipeline is public or the requester is assigned.POST /trigger/:tokenneeds to be widely accessible.Furthermore, CORS and cookie include needs to be set:
modeandcookiesinfetch.Lastly: