Request to Implement CSP header in your Application

[dev...@t-systems.com]

Hello,

 

I hope this message finds you well. I am writing to discuss an important security matter regarding your product, Jenkins. We greatly value the solution your company provides and as a dedicated user of your product, we believe it’s essential to address a security concern to ensure the continued safety of our systems and data. 

Considering the increasing importance of web security, we have been reviewing the security measures in place for all our software applications, including third-party integrations like Jenkins. One fundamental aspect of web security that we would like to discuss is implementation of Content Security Policy (CSP) headers. 

 

Content Security Policy is a crucial security feature that helps protect web applications against various types of attacks, including Cross-Site Scripting (XSS) and data injections attacks. 

By defining a CSP policy, your application can specify which sources of content are trusted, thereby mitigating the risk of malicious code execution. 

We have noticed that your application currently does not include CSP headers in its HTTP responses. We kindly request that you consider implementing CSP headers to enhance the security of your product. Doing so will not only bolster the trust and confidence we have in your application but will also align with best practice in web security. 

We appreciate your attention to this matter and look forward to discussing the implementation of CSP header further. Please let us know your thoughts, regarding this matter. 

 

Thank you for your prompt attention to this important security request.

 

Best Regards,
DevOps-as-a-Service Team

 

T-SYSTEMS INTERNATIONAL GMBH
Service Desk DevOps-as-a-Service
Hahnstr. 43 d, D-60528 Frankfurt am Main

Service hotline:        +49 69 9731799115
WEB-Portal:            https://prd.sdc.t-systems.net/jira/servicedesk/
E-mail:                     dev...@t-systems.com

Internet: http://www.t-systems.com 
Social Media: Twitter, Xing, Linkedin

 

Let‘s power higher performance

You can find the compulsory statement on: www.t-systems.com/compulsory-statement

BIG CHANGES START SMALL – CONSERVE RESOURCES BY NOT PRINTING EVERY E-MAIL.

Notice: This transmittal and/or attachments may be privileged or confidential. It is intended solely for the addressee named above. If you received this transmittal in error, please notify us immediately by reply and immediately delete this message and all its attachments. Thank you.

 

 

 

 

[Mark Waite]

I provided the following response when I rejected this message to the Jenkins board:

I've rejected your message to the Jenkins governance board mailing list because the topic is not a governance board item.  However, I felt that your very kind message deserved a response, so I'm providing this response.

You said:

The Jenkins security team agrees with you that Jenkins should implement content security policy.  They have created the Content-Security-Policy Compatibility Introduction page.  The instructions on that page help developers identify locations that are not compatible with the CSP directives that can prevent injection attacks like cross-site scripting.  The instructions guide those developers to make the changes so that CSP can eventually be enabled without breaking Jenkins users.

A video tutorial on CSP introduction has also been provided by the Jenkins Security Officer as part of Hacktoberfest 2021.  We've encouraged CSP contributions in Hacktoberfest 2022 as well.  We'll continue to encourage CSP contributions in Hacktoberfest 2023.

A Jenkins Jira epic tracks progress towards implementing CSP and another epic describes the steps needed for a smooth introduction of CSP into Jenkins.  Changes in Jenkins core to the user interface are reviewed by the Jenkins security team to assure that UI updates continue to progress towards eventual implementation of CSP throughout Jenkins.

You're encouraged to contribute to the implementation.

Many pull requests have been submitted to Jenkins core as part of the journey to eventually enable CSP in Jenkins.  I encourage you to add your own contributions to that effort.

If you'd like to discuss the topic further, you're welcome to start a CSP topic in the Jenkins community forum or raise a question in the Jenkins users mailing list.

Thanks,

Mark Waite - Jenkins board member