I tried editing the default configuration but i couldnt find the X-XSS-Protection i could find only x-frame options.
Undertow subsystem is not available in my standalone.xml .
There are 2 options.
The first one, is to set this header in a custom filter which should be placed in your web application's lib folder. The second option, is to develop a custom valve and set this header there.
Related
i want to add content security policy header in tomcat.I am able to add x-frame header by changing webxml file.but i do not if i can add content security policy header in the same way.
please help on this
Using the web.xml file you can publish some security headers, for example X-Frame-Options, X-XSS-Protection, but not the Content-Security-Policy one.
Because web.xml config is based on built-in Tomcat filters which does not support CSP header yet. Therefore, you need to create custom servlet-filter, which can then be used in the web.xml file.
You can found some nitty-gritty about custom filter creation in the grails-x-frame-options-plugin, based on XFO header.
OWASP also has a detailed example of a CSP filter.
We need to fix a vulnerability in JBoss EAP 6.4 which is related to HTTP Security Header Not Detected (QID 11827).
This vulnerability is reported on the application server layer, and not on IHS.
All the suggestions online are for JBoss EAP 7.x (undertow subsystem), and not applicable to JBoss EAP 6.4 (web subsystem).
I have tried to add filters under the WEB subsystem, in the standalone.xml, but it has not worked. Probably I am not using the correct format/syntax.
Please advise.
The aforementioned QID (11827) is detected when the following HTTP Headers are missing:
X-Frame-Options
X-XSS-Protection HTTP
X-Content-Type-Options
Strict-Transport-Security
A nice and easy way to set theses headers is by implementing a custom filter. Please note that this is for a specific web application !
If you want to set these http headers globally, then you must implement a custom valve!
I have a client who uses ColdFusion 10 and IIS 7.5 on Win 2k3 R2. The ColdFusion admin uses frames. When I log into the CF admin I'm seeing a blank white screen in Chrome and in IE I am seeing a message telling me this:
This content cannot be displayed in a frame
To help protect the security of information you enter into this website, the publisher of this content does not allow it to be displayed in a frame.
I see a few of this message (1 for each frame) in the chrome dev console:
Refused to display 'http://localhost/CFIDE/Administrator/navserver.cfm' in a frame because it set 'X-Frame-Options' to 'DENY'.
Looking at the response headers in Chrome, I can see that this is set to DENY.
I can't figure out where this is coming from. All of the sites on this server now are outputting this header. I never explicitly configured anything to output this header. I know CF wouldn't have done so in a patch because it would break its own admin interface.
IIS's root server-wide configuration HTTP Response Headers doesn't have a X-Frame-Options set and neither do any of the configured websites.
If I explicitly add an X-Frame-Options header and set it to sameorigin I see both headers (deny and sameorigin).
Is there perhaps some software the client's security team might have installed that would be injecting this header?
I'm accessing the site on localhost so I can't imagine that it's a network device causing the problem. It must be on the server itself, right?
Any ideas?
This could be set within ColdFusion, assuming it's been locked down. Look in
(instancename)/wwwroot/WEB-INF/web.xml for the rules around clickjack. Might look something like this:
<filter-mapping>
<filter-name>CFClickJackFilterDeny</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Another way to test to see if this is being caused by IIS is to set up a frame sample with straight HTML pages and if it works the block is at the ColdFusion level. If straight HTML does not work then it is happening at IIS or some other server location.
In IIS, HTTP Response Headers can be set server-wide (affecting all sites) and/or site-wide (affecting only the current site).
Reading your question again, I see I may not have helped you. Good luck.
I am working with the ATG platform and cannot figure out how to hide or remove the section of the response header "X-ATG-Version: xxxxxxx". I am using JBoss and I have figured out how to remove the "X-powered-by" part of the header but no luck with the ATG part. I am trying to accomplish this for security purposes.
You are not saying which version of ATG you are running or whether you are hosting it behind a WebServer.
In the ATG Documentation it suggests that you can turn off the header in the HeadPipelineServlet using the addingAtgVersionHeader property. You can find the HeadPipelineServlet in the /atg/dynamo/servlet/pipeline/DynamoHandler component. When you do add this property, make sure you add it via the properties file and restart. Changing it in /dyn/admin does not make a difference.
Alternatively you can hide it in your Webserver Configuration. In Apache the following is sufficient:
Header unset X-ATG-Version
And it works reliably.
I'm not sure if this was a change in IIS 7 or if someone before me actively removed X-Server from the HTTP response headers but I need to be able to tell which server in the farm served the current page. I don't see X-Server in the custom variables section of IIS but I'm not sure if it was a custom variable in the first place or if it's in the defaults and it's been disabled via web.config. How do I get my headers back?
You can use custom headers (http://www.iis.net/ConfigReference/system.webServer/httpProtocol/customHeaders) to add any header you like.