We recently has a security consultant take a look at our application built using vaadin. We are still on version 6.
Following are the advices given to implement
"X-Frame-Options" in the header.
Content-Security-Policy:script-src'self
X-Content-Type-Options:nosniff
X-FrameOptions:SAMEORIGIN
Configure web server to include response header-X-XSS-Protection:1;mode=block
My question is, considering vaadin pays attention to security, how does vaadin cope with this situation?
on oficial documentation of vaadin for 6 version there is no information available.
Also found this solution , but not sure, it will work or not. Also on vaadin forum there is no solution thread availble for this.
Those headers are not directly within Vaadin's sphere of influence. Vaadin could in theory add such headers to responses that it manages, but there are also some scenarios when some of them wouldn't be appropriate which is why they aren't added by default.
For that reason, I would recommend that you configure your hosting environment (e.g. load balancer or application server) to include the header values that you want in all relevant responses. Another alternative is to create a simple Servlet Filter that adds the headers. A variation of that is described in the answer that you linked to.
Related
I work in a company where we have many different applications. To reduce code repetition and keep the experience for the users the same across applications we created a component library which is used by all applications.
Now we want to allow the users to switch between applications. Something similar like Google does:
Screenshot of Google Application Drawer
An additional requirement for our "Application Switcher" would be that it "updates" itself. Meaning if we change how this "Application Switcher" looks we don't want all applications which use this Switcher to create a new deployment and be newly deployed.
So currently we use the same header (from our component library) in all our applications. So, my idea was just to simply add a script tag to all the index.html pages of all the applications which should support this "Application Switcher". The Script would parse the DOM, find the header and inject a component for this application switcher. I wanted to host the actual script from a CDN like server and the script tag in the index.html just references this URL. This way we could change this script however we want, and all the applications will always get the latest version.
Now I did a small proof of concept in our environments and solved all the CORS issues but since we were fetching from an authenticated context and the script was also in an authenticated context I always got a 401.
Additionally, we have the requirement, that this "Application Switcher" shows different applications to different users i.e. depending on which apps a user is allowed to access. So, the script itself will also do calls to an "Application Switcher" backend providing it user-specific information.
Now this makes me think that my initial idea of just putting a script tag and fetching from a CDN was too simplistic. Now I'm thinking if it would be better to implement a rest endpoint in all applications to fetch this script. This way I don't have the problems of fetching a resource from an authenticated context from the user's browser and instead can handle all of this in the backend.
So long story short; I feel like a complete noob who just hacks around to get things working (or actually not working) and was wondering if any of the smart internet people out there (who might actually already have experience with this) could give me a hint what would be a clean way to implement this?
We are using Lotus Notes technology for web application development. In order to make our application more secured, we are trying to fix some security level issues. One such issue that we are trying to fix is : Cross Site Scripting.
Here are the issue details. As part of application functionality data is getting processing from one web page to other web page to full fill the workflow process. During the process of data we require help to handle richtext fields data form special characters () to provide the security for hacking at third party level becuse our application is public domain.
Cross Site Scripting vulnerability is one that enables a hacker to place client side scripts (usually JavaScript) into web pages. XSS vulnerabilities generally occur when an application takes user input and outputs it in a page without validating, encoding or escaping it.
We are trying to solve the above issue for CKeditor (Third party tool) being used in our application. The CKeditor contains Richtext field data. We are unable to handle the request from backend to prevent the hacker from altering the request parameters.
For your kind information, We are using the domino Release 9.0.1 FP4 on windows/Longhom 6.2 intel and the version of CKeditor is 4.4.6. We searched online for various solutions for handling xss for rich text field(ck Editor) but could not find any. We also saw that CK Editor upgraded versions do not provide any fix for the XSS issue.
Kindly please provide a code level help to handle this issue to fix the XSS vulnerability?
Look at Content Filtering (ACF):
https://ckeditor.com/docs/ckeditor4/latest/guide/dev_acf.html
I am working on a web app which uses JSF. I would like to know that What are best practices and available tools for performing a load test on it.
Application is hosted on glassfish server 3.1.2.2
Depends somewhat on the site you want to test. At work we have a complex RIA, and to test it we have to reproduce user interaction. We use jMeter for this.
It's kind of messy to set up (look at the guides they have) but once this is done it's very flexible and allows you to configure and tweak many things. I particularly like its "proxy" feature where you can proxy your app through jMeter and it records everything so you can play it back later on. Note that for JSF you have to do some tricks with the ViewStateId, so google a "jmeter JSF" guide for how to set this up.
In a previous project I have used RadView WebLOAD to test a JSF site, it enable recording the user scenario and handles correlating the dynamic values.
I'm reading [https://github.com/ServiceStack/ServiceStack/wiki/Run-servicestack-side-by-side-with-another-web-framework][1] but it doesn't explain enough or give a solution example (or I just don't know of an an example in the SS github site I can see something like this working with ASP.NET MVC and using that location element).
So I don't understand this custom service path from a Solution/Project perspective in the location element.
Here's how my current Solution looks:
Just a bit about the above pic. The MVC project that I created is that one I outlined in orange. I added then the ServiceStack projects I'll need to work with (we want to work with the actual code from SS, not binaries).
So now I'm looking back at the web.config that sits in my MVC proj as you can see in the pic which is open. So this "/api" for example, so what is that referring to? Like Our "Service" that we are gonna expose is in a different project ..you see that at the top, the project Called ServiceInterface.
I'm trying to understand how this works for the location. Location of what and how would I set that up in my solution here just for example?
#CoffeeAddict
sorry, but as a simple ServiceStack user like you, I feel the need to tell you
that it is good to have a lot of questions, but
Here is not private support, please make meaningful questions for all the others.
Don't waste time of mythz. We expect from him to deliver the new ServiceStack version.
If he is successful, all of us we will be too.
P.M
down in the page that you mentioned Run servicestack side by side with another web framework
there is an example of config Example config file for Asp.Net 3.5 in /api.
Maybe it is not appropriate for you, but it is not true, that there is not example.
Also, these questions
Running ServiceStack side by side with MVC
Service Stack on MVC4
the following is from you at Sept 25. It was answered from mythz.
Setting up Web.config to work Side-by-Side with ASP.NET MVC 4
Maybe you are not satisfied of course, but what to do about ? nothing.
check this also
ServiceStack.Host.Mvc / content / README.txt
Here
a user's blog post A mixed ASP.Net MVC 4 and ServiceStack reference project
and his sample project in githup DiffStack
Is there a way to get URI based access control directly in IIS that works with static content, ASP, WCF services and anything else that comes in looking something like an HTTP request?
Particularly I want the access control to be a bullet proof as possible preferably making the decision before IIS even tries to figure out what to service the request with.
This link sort of hints that this can't be done but it's old and I'd be very surprised if what I'm looking for doesn't exist.
This link has a few other options (and a less "aggressive" community)
An ideal solution would be able to declare that everything (static and dynamic content) under a given URL (for example https://dns.name/some/path/*) needs a login and the user must be in some group. Also, I'd rather set it up with a username/passord file (at least for now) rather than AD or some windows account system.
In short I want access control and I don't want to be writing code to get it.
This seems related but I'm not sure it's quite the same.
You can set access rules for ASP.NET or WCF web application in web.config file.
HOW TO: Control Authorization Permissions in an ASP.NET Application
If you have access to IIS and you know .htaccess syntax, you can use ISAPI_Rewrite 3. The Lite version is free.