You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@skywalking.apache.org by wu...@apache.org on 2022/10/12 13:41:28 UTC

[skywalking] branch wu-sheng-patch-1 created (now ebcb33b1b8)

This is an automated email from the ASF dual-hosted git repository.

wusheng pushed a change to branch wu-sheng-patch-1
in repository https://gitbox.apache.org/repos/asf/skywalking.git


      at ebcb33b1b8 Add more details on security notice

This branch includes the following new commits:

     new ebcb33b1b8 Add more details on security notice

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.

[skywalking] 01/01: Add more details on security notice

Posted by wu...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

wusheng pushed a commit to branch wu-sheng-patch-1
in repository https://gitbox.apache.org/repos/asf/skywalking.git

commit ebcb33b1b8b31dce514627bb62ed27c6703610c3
Author: 吴晟 Wu Sheng <wu...@foxmail.com>
AuthorDate: Wed Oct 12 21:41:14 2022 +0800

    Add more details on security notice
---
 docs/en/security/README.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/docs/en/security/README.md b/docs/en/security/README.md
index 35e98d2fe0..6cb3aa4883 100644
--- a/docs/en/security/README.md
+++ b/docs/en/security/README.md
@@ -1,7 +1,7 @@
 # Security Notice
 
-The SkyWalking OAP server and UI should run in a secure environment, such as only inside your data center.
-OAP server, UI, and all agents deployment should only be reachable by the operation team only on default
+The SkyWalking OAP server, UI, and agent deployments should run in a secure environment, such as only inside your data center.
+OAP server, UI, and agent deployments should only be reachable by the operation team on default
 deployment.
 
 All telemetry data are trusted. The OAP server **would not validate any field** of the telemetry data to avoid extra
@@ -13,8 +13,8 @@ The following security policies should be considered to add to secure your SkyWa
 
 1. HTTPs and gRPC+TLS should be used between agents and OAP servers, as well as UI.
 2. Set up TOKEN or username/password based authentications for the OAP server and UI through your Gateway.
-3. Validate all fields in the body of the traceable RPC(including HTTP 1/2, MQ) headers when requests are from out of
-   the trusted zone.
+3. Validate all fields of the traceable RPC(including HTTP 1/2, MQ) headers(header names are `sw8`, `sw8-x` and `sw8-correlation`) 
+   when requests are from out of the trusted zone. Or simply block/remove those headers unless you are using the client-js agent.
 4. All fields of telemetry data(HTTP in raw text or encoded Protobuf format) should be validated and reject malicious
    data.
 
@@ -27,4 +27,4 @@ and UI services.
 ## appendix
 
 The SkyWalking [client-js](https://github.com/apache/skywalking-client-js) agent is always running out of the secured
-environment. Please follow its **security notice** for more details.
\ No newline at end of file
+environment. Please follow its **security notice** for more details.