Update docs to new strategy

* Mention values of 'allow' and 'deny' * Confirmation -> Permission * ENABLED -> REQUIRED
author: Avielle Wolfe <awolfe@gitlab.com> 2019-09-12 18:00:28 -0400
committer: Avielle Wolfe <awolfe@gitlab.com> 2019-09-12 18:47:04 -0400
commit: 73dd2502541d568eae98d85dcedf9ba0985173a4 (patch)
tree: c5d9a5fc32163d894e2521c9c16bdc7699eba700
parent: ec1956228b75898d42f8f93fc55e3401eeeba463 (diff)
download: gitlab-ce-73dd2502541d568eae98d85dcedf9ba0985173a4.tar.gz
1 files changed, 14 insertions, 11 deletions
diff --git a/doc/user/application_security/dast/index.md b/doc/user/application_security/dast/index.md
index dd5c0843b92..0f5165f2606 100644
--- a/doc/user/application_security/dast/index.md
+++ b/doc/user/application_security/dast/index.md
@@ -134,15 +134,19 @@ variables:
 
 #### Domain validation
 
-Domain validation is disabled by default. You can enable it by setting the [environment variable](#available-variables) `DAST_FULL_SCAN_DOMAIN_VALIDATION_ENABLED` to true.
+Domain validation is not required by default. It can be required by setting the [environment variable](#available-variables) `DAST_FULL_SCAN_DOMAIN_VALIDATION_REQUIRED` to true.
 
 Since ZAP full scan actively attacks the target application, DAST sends a ping to the target (normally defined in `DAST_WEBSITE` or `environment_url.txt`) beforehand.
-The target's response must include a `Gitlab-DAST-Confirmation` header. The value of the header can be anything.
-If DAST does not see the header in the response, it will not perform the scan and the job will fail with an error.
+
+If `DAST_FULL_SCAN_DOMAIN_VALIDATION_REQUIRED` is false or unset, the scan will _proceed_ unless the response to the ping
+includes a `Gitlab-DAST-Permission` header with a value of `deny`.
+
+If `DAST_FULL_SCAN_DOMAIN_VALIDATION_REQUIRED` is true, the scan will _exit_ unless the response to the ping
+includes a `Gitlab-DAST-Permission` header with a value of `allow`.
 
 ![Error message displayed when DAST domain validation fails](img/dast-domain-validation-error.png)
 
-Here are some examples of adding the `Gitlab-DAST-Confirmation` header to a response in Rails, Django, and Node (with Express).
+Here are some examples of adding the `Gitlab-DAST-Permission` header to a response in Rails, Django, and Node (with Express).
 
 ##### Ruby on Rails
 
@@ -151,7 +155,7 @@ Here's how you would add a [custom header in Ruby on Rails](https://guides.rubyo
 ```ruby
 class DastWebsiteTargetController < ActionController::Base
   def dast_website_target
-    response.headers['Gitlab-DAST-Confirmation'] = true
+    response.headers['Gitlab-DAST-Permission'] = 'allow'
 
     head :ok
   end
@@ -166,26 +170,25 @@ Here's how you would add a [custom header in Django](https://docs.djangoproject.
 class DastWebsiteTargetView(View):
     def head(self, *args, **kwargs):
       response = HttpResponse()
-      response['Gitlab-Dast-Confirmation'] = true
+      response['Gitlab-Dast-Permission'] = 'allow'
 
       return response
 ```
 
-##### [Node (with Express)](http://expressjs.com/en/5x/api.html#res.append)
 ##### Node (with Express)
 
 Here's how you would add a [custom header in Node (with Express)](http://expressjs.com/en/5x/api.html#res.append):
 
 ```javascript
 app.get('/dast-website-target', function(req, res) {
-  res.append('Gitlab-DAST-Confirmation', 'true')
+  res.append('Gitlab-DAST-Permission', 'allow')
   res.send('Respond to DAST ping')
 })
 ```
 
 ##### Domain validation header via a proxy
 
-It's also possible to add the `Gitlab-DAST-Confirmation` header via a proxy.
+It's also possible to add the `Gitlab-DAST-Permission` header via a proxy.
 DAST's test suite uses an nginx proxy in a Docker container to allow us to add the
 header without modifying the tested application directly.
 
@@ -204,7 +207,7 @@ server {
 
     location / {
         proxy_pass http://test-application;
-        add_header Gitlab-DAST-Confirmation true;
+        add_header Gitlab-DAST-Permission allow;
     }
 }
 ```
@@ -282,7 +285,7 @@ variable value.
 | `DAST_AUTH_EXCLUDE_URLS` | no | The URLs to skip during the authenticated scan; comma-separated, no spaces in between. |
 | `DAST_TARGET_AVAILABILITY_TIMEOUT` | no | Time limit in seconds to wait for target availability. Scan is attempted nevertheless if it runs out. Integer. Defaults to `60`. |
 | `DAST_FULL_SCAN_ENABLED` | no | Switches the tool to execute [ZAP Full Scan](https://github.com/zaproxy/zaproxy/wiki/ZAP-Full-Scan) instead of [ZAP Baseline Scan](https://github.com/zaproxy/zaproxy/wiki/ZAP-Baseline-Scan). Boolean. `true`, `True`, or `1` are considered as true value, otherwise false. Defaults to `false`. |
-| `DAST_FULL_SCAN_DOMAIN_VALIDATION_ENABLED` | no | Enables [domain validation](#domain-validation) when running DAST full scans. Boolean. `true`, `True`, or `1` are considered as true value, otherwise false. Defaults to `false`. |
+| `DAST_FULL_SCAN_DOMAIN_VALIDATION_REQUIRED` | no | Requires [domain validation](#domain-validation) when running DAST full scans. Boolean. `true`, `True`, or `1` are considered as true value, otherwise false. Defaults to `false`. |
 
 ## Security Dashboard
author	Avielle Wolfe <awolfe@gitlab.com>	2019-09-12 18:00:28 -0400
committer	Avielle Wolfe <awolfe@gitlab.com>	2019-09-12 18:47:04 -0400
commit	73dd2502541d568eae98d85dcedf9ba0985173a4 (patch)
tree	c5d9a5fc32163d894e2521c9c16bdc7699eba700
parent	ec1956228b75898d42f8f93fc55e3401eeeba463 (diff)
download	gitlab-ce-73dd2502541d568eae98d85dcedf9ba0985173a4.tar.gz