Data Security

Business Teams are stored in the EDB PostgreSQL service database. You cannot enable the encryption of data at rest by using the cloud-native-postgresql operator. So, use the Red Hat® OpenShift® Container Platform storage class that you configured for your deployment to enable encryption.

Security Hardening

To avoid host header injection attacks, you can configure Platform UI (ibm-platformui-operator) to reject requests where the HTTP header Host does not match the expected value as configured with key URL_PREFIX in configmap product-configmap. Complete the following configuration steps:

1. Edit the namespace where Platform UI is installed by editing the product-configmap.

   • By using the console

   • In OpenShift console, go to Workloads > ConfigMaps.

   • Select your project and search for product-configmap.

   • Add or update a key HOST_INJECTION_CHECK_ENABLED to have a value of true.

   • By using the CLI

     Run the following command:

     oc patch configmap product-configmap -p '{"data":{"HOST_INJECTION_CHECK_ENABLED": "true"}}'
     

2. Restart the Platform UI pods:

   • By using the console

   • In OpenShift console, go to Workloads > Pods.

   • Select your project and search for ibm-nginx.

   • Delete the pods.

   • By using the CLI

     Run the following command:

     oc delete pod -l component=ibm-nginx