Remove default values from sensitive application properties #1066
Comments
This was referenced Oct 25, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
What?
To improve security, we have decided to remove default values from sensitive application properties.
Why?
To improve security, so someone doesn't start a pass component using default application properties that set credentials/authentication keys/config.
https://www.cisa.gov/resources-tools/resources/product-security-bad-practices
How?
pass-core:
Review the application.yaml. Refactor the configuration so there are no default values for application properties that are sensitive. One idea discussed was to move the security config to a new test profile config in the pass-core-main/src/test/resources that the unit integration tests can use. This will also include moving the sp resources to the test resources dir, and will change config in pass-docker. Some analysis and experimentation will be needed.
In the end, with whatever configuration change is made, it should be as easy as possible to start pass-core locally.
pass-support:
Review all application.properties files in all modules. Remove any sensitive default values. Any present should be able to be removed since they are already set for unit/integration tests.
pass-docker:
Review documentation ensure there is clear text warning that the local env should not be used for production use.
pass-ui:
Review for any config properties with default values.
Acceptance Criteria
There are no default values for sensitive application properties
The text was updated successfully, but these errors were encountered: