Skip to content

SEC-281: Add awareness of HSTS to secutiry.adoc for strict transport security.#3574

Merged
kemister85 merged 3 commits intotinymce/7from
hotfix/7/SEC-281
Jan 9, 2025
Merged

SEC-281: Add awareness of HSTS to secutiry.adoc for strict transport security.#3574
kemister85 merged 3 commits intotinymce/7from
hotfix/7/SEC-281

Conversation

@kemister85
Copy link
Contributor

@kemister85 kemister85 commented Jan 8, 2025
edited
Loading

Ticket: SEC-281

Site: Staging branch

Changes:

  • Include recommendation for HSTS to security.adoc.

Pre-checks:

  • Branch prefixed with feature/<version>/, hotfix/<version>/, staging/<version>/, or release/<version>/.

Review:

  • Documentation Team Lead has reviewed

@kemister85 kemister85 requested a review from Skylite73 January 8, 2025 04:28
FarzadHayat
FarzadHayat reviewed Jan 8, 2025
View reviewed changes
Copy link

@FarzadHayat FarzadHayat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work. Just some thoughts on the location of the section. I think this doesn't really belong in the "What we do to maintain security for TinyMCE" section since it's more of a recommendation for our integrators rather than anything that we are doing in the TinyMCE editor. My opinion is that this should be a level 2 heading (instead of level 3 heading) and located after the "What we do to maintain security for TinyMCE" section and before the "Configuring Content Security Policy (CSP) for TinyMCE" section,

...
To protect our users, {companyname} ensures that the TinyMCE dependencies are updated before the next version (major or minor) is released.

[[enforcing-https-with-hsts]]
== Enforcing HTTPS with HSTS

...

include::partial$misc/general-csp.adoc[]
...

add a link to the section in the Overview

...
** xref:keeping-dependencies-up-to-date[Keeping dependencies up-to-date]
* xref:enforcing-https-with-hsts[Enforcing HTTPS with HSTS]
* xref:configuring-content-security-policy-csp-for-tinymce[Configuring Content Security Policy (CSP) for TinyMCE]
...

and add a list item to the "What we do to maintain security for TinyMCE" section with content something like: "Provides information about how to configure enforcing HTTPS with HSTS."

...
* Keeps {productname} dependencies up to date, and
* Provides information about how to configure enforcing HTTPS with HSTS, and
* Provides information about how to configure a Content Security Policy that works with {productname}.

Hope that makes sense. I can't put in a suggestions because the other sections of the file are not part of the PR file diff.

WayneWWong
WayneWWong approved these changes Jan 9, 2025
View reviewed changes
Copy link

@WayneWWong WayneWWong left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kemister85
Good morning Karl, many thanks for progressing this task. I reviewed the change, I do not have comments and I approve the content.
Many thanks and kind regards,
Wayne

@kemister85 kemister85 merged commit db652b6 into tinymce/7 Jan 9, 2025
5 checks passed
@kemister85 kemister85 deleted the hotfix/7/SEC-281 branch January 9, 2025 03:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@EkimChau EkimChau EkimChau approved these changes

@abhinavgandham abhinavgandham Awaiting requested review from abhinavgandham

@soritaheng soritaheng Awaiting requested review from soritaheng soritaheng is a code owner

@LewisAtTiny LewisAtTiny Awaiting requested review from LewisAtTiny

@Skylite73 Skylite73 Awaiting requested review from Skylite73 Skylite73 is a code owner automatically assigned from tinymce/documentation-team

+2 more reviewers

@FarzadHayat FarzadHayat FarzadHayat approved these changes

@WayneWWong WayneWWong WayneWWong approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@kemister85 @EkimChau @FarzadHayat @WayneWWong