May Invicti findings

[jadudm]

See here.

Due 120 days after report was issued (05/24/2024).

Rounds up #3900 and #3899.

Findings

Beta Give feedback

1. Nosniff header. Possible false positive (see below).
2. Cookie settings. Confirmed false positive
3. Origin header. Should be resolved by Manage cors headers in terraform #4115. @asteel-gsa to confirm post-deploy.
4. Tab navigation. Should be addressed in the app by Invicti: Preventing window.opener phishing vulnerability #4007. PR for static site Using noreferrer where target=blank FAC-transition-site#138

Assigning @ChrisB-16 to shepherd our responses through to the assessment team. Let's check these off when we confirm that the assessors have acknowledged.

[danswick]

Re: the nosniff header, I checked manually and it appears to be present on our pages and is a cloud.gov default. I'm not sure why the Invicti scan isn't seeing it.

[danswick]

@ChrisB-16 will compare against the August findings and scan results to determine if we can close here. We may need to compare the test date to the most recent deploy. Some of the above findings may not have existed in prod by the scan day.

[danswick]

@ChrisB-16 to summarize current findings here.

[ChrisB-16]

This May Invicti VM scan review can be closed. There was no Criticals/ Highs/ Medium findings. The Low findings are being tracked and will be addressed during future patch release for supporting IT software. The ongoing FAC ATO continuous monitoring efforts will track updates and if any new applicable VM finding is discovered.

[ChrisB-16]

This May Invicti VM scan review can be closed. There was no Criticals/ Highs/ Medium findings. The Low findings are being tracked and will be addressed during future patch release for supporting IT software. The ongoing FAC ATO continuous monitoring efforts will track updates and if any new applicable VM finding is discovered.