Add X-XSS-Protection HTTP Header for RASA Core server request- http://<hostname>:5005

Hi,

I want to add some security header to the request -http://:5005. I have set up an Apache reverse proxy at port 9090, now I can access the page http://:9090 and I can see Hello from Rasa page.

Now I would like to prevent direct access for http://:5005. Kindly suggest! Also sharing curl responses for clarity.

curl -i http://localhost:9090 HTTP/1.1 200 OK Date: Thu, 31 Oct 2019 16:53:46 GMT Server: Apache X-Frame-Option: SAMEORIGIN X-Xss-Protection: 1; mode=block X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=63072000; includeSubDomains Content-Security-Policy: default-src https: data: ‘unsafe-inline’ ‘unsafe-eval’ Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true Content-Length: 22 Content-Type: text/plain; charset=utf-8

Hello from Rasa: 1.4.3

curl -i http://localhost:5005 HTTP/1.1 200 OK Connection: keep-alive Keep-Alive: 5 Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true Content-Length: 22 Content-Type: text/plain; charset=utf-8

Hello from Rasa: 1.4.3

This response I want it to be 404 as we see for the action server request below:

curl -i http://localhost:5055 HTTP/1.1 404 NOT FOUND Content-Type: text/html Content-Length: 232 Date: Thu, 31 Oct 2019 16:53:31 GMT

404 Not Found

Not Found

The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.

--------------------------------

Either we need to prevent 5005 direct http access as it needs to get passed through 9090 proxy configuration where I have configured the required security headers or is there a way to add the security headers directly without configuring a reverse proxy. Kindly help.

RASA version: 1.4.3

Thank You.

Regards, Arunabh

This issue has been addressed by modifying rasa core run.py file which uses sanic server. In future, it will be good if we can have this configurable via RASA config files.

Reference: Middleware And Listeners — Sanic 19.9.0 documentation

hey @Arunabh09 glad you got it figured out so quickly, would you maybe want to create an issue for this on the github for Rasa?

Hi @btotharye as suggested, I have created an issue for this.

Hi @Arunabh09 , exactly where should we append this code. Is it fine at the end of run.py file or within some function in the run.py file?