You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@skywalking.apache.org by wu...@apache.org on 2022/10/12 13:41:29 UTC

[skywalking] 01/01: Add more details on security notice

This is an automated email from the ASF dual-hosted git repository.

wusheng pushed a commit to branch wu-sheng-patch-1
in repository https://gitbox.apache.org/repos/asf/skywalking.git

commit ebcb33b1b8b31dce514627bb62ed27c6703610c3
Author: 吴晟 Wu Sheng <wu...@foxmail.com>
AuthorDate: Wed Oct 12 21:41:14 2022 +0800

    Add more details on security notice
---
 docs/en/security/README.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/docs/en/security/README.md b/docs/en/security/README.md
index 35e98d2fe0..6cb3aa4883 100644
--- a/docs/en/security/README.md
+++ b/docs/en/security/README.md
@@ -1,7 +1,7 @@
 # Security Notice
 
-The SkyWalking OAP server and UI should run in a secure environment, such as only inside your data center.
-OAP server, UI, and all agents deployment should only be reachable by the operation team only on default
+The SkyWalking OAP server, UI, and agent deployments should run in a secure environment, such as only inside your data center.
+OAP server, UI, and agent deployments should only be reachable by the operation team on default
 deployment.
 
 All telemetry data are trusted. The OAP server **would not validate any field** of the telemetry data to avoid extra
@@ -13,8 +13,8 @@ The following security policies should be considered to add to secure your SkyWa
 
 1. HTTPs and gRPC+TLS should be used between agents and OAP servers, as well as UI.
 2. Set up TOKEN or username/password based authentications for the OAP server and UI through your Gateway.
-3. Validate all fields in the body of the traceable RPC(including HTTP 1/2, MQ) headers when requests are from out of
-   the trusted zone.
+3. Validate all fields of the traceable RPC(including HTTP 1/2, MQ) headers(header names are `sw8`, `sw8-x` and `sw8-correlation`) 
+   when requests are from out of the trusted zone. Or simply block/remove those headers unless you are using the client-js agent.
 4. All fields of telemetry data(HTTP in raw text or encoded Protobuf format) should be validated and reject malicious
    data.
 
@@ -27,4 +27,4 @@ and UI services.
 ## appendix
 
 The SkyWalking [client-js](https://github.com/apache/skywalking-client-js) agent is always running out of the secured
-environment. Please follow its **security notice** for more details.
\ No newline at end of file
+environment. Please follow its **security notice** for more details.