gitlab-org / coming-soon

Security

This page outlines the security considerations for the coming-soon static website hosted on GitLab Pages.

Security Considerations

While a static website is less susceptible to traditional web application vulnerabilities, it’s still important to implement basic security measures.

1. Content Security Policy (CSP):

  • Why: CSP helps to prevent cross-site scripting (XSS) attacks by defining a whitelist of trusted sources for loading resources like scripts, stylesheets, images, and fonts.

  • How: The Content-Security-Policy HTTP header is configured to specify the allowed sources.

    Content-Security-Policy: default-src 'self'; script-src 'self' https://www.google-analytics.com; style-src 'self' 'unsafe-inline'

    In this example:

    • default-src 'self'; allows resources to be loaded only from the same origin.
    • script-src 'self' https://www.google-analytics.com; allows scripts from the same origin and Google Analytics.
    • style-src 'self' 'unsafe-inline'; allows styles from the same origin and inline styles.

2. HTTPS:

  • Why: HTTPS encrypts communication between the website and the user’s browser, protecting sensitive information like login credentials.

  • How: GitLab Pages automatically enforces HTTPS, ensuring all traffic is encrypted.

3. Cross-Site Request Forgery (CSRF) Protection:

  • Why: CSRF attacks exploit the user’s authenticated session to execute unauthorized actions on their behalf.

  • How: As a static website, coming-soon doesn’t have any user interactions that would make it vulnerable to CSRF. Therefore, specific CSRF protection measures aren’t necessary.

4. Sensitive Data:

  • Why: The coming-soon website should avoid storing or exposing sensitive information like passwords or financial data.

  • How: The website’s content is purely static, ensuring no sensitive data is collected or processed.

5. Logging and Monitoring:

  • Why: It’s essential to monitor website activity for potential security issues.

  • How: GitLab Pages doesn’t provide real-time logging or monitoring capabilities. However, GitLab’s infrastructure offers general security monitoring and logging for the entire platform.

6. Regular Security Updates:

  • Why: Keeping software and libraries up-to-date is crucial to patch vulnerabilities.

  • How: GitLab Pages uses a secure, managed environment, ensuring all underlying software components are regularly updated.