https://connect.hyland.com/t5/alfresco-forum/http-security-headers-not-detected/m-p/5170#M2513 <P>Hi All,</P><P>We are using ACS 5.2.6 with windows os.</P><P>We have recieved the security vulnerability titled:- HTTP security headers not detected.</P><P>And for the same we have two solution:-</P><P>&nbsp;1. Security filters and clickjacking mitigation</P><DIV class="region region-content"><DIV class="node node-documentation-page node-promoted clearfix"><DIV class="content"><DIV class="field field-name-body field-type-text-with-summary field-label-hidden"><DIV class="field-items"><DIV class="field-item even"><DIV class="body conbody"><DIV class="abstract"><SPAN class="shortdesc">You can configure a security filter,<SPAN>&nbsp;</SPAN>SecurityHeadersPolicy, that mitigates clickjacking attacks in<SPAN>&nbsp;</SPAN><SPAN class="ph">Alfresco Share</SPAN>.</SPAN></DIV><P class="p">SecurityHeadersPolicy<SPAN>&nbsp;</SPAN>is a Java Servlet filter that applies HTTP response headers to incoming requests in<SPAN>&nbsp;</SPAN><SPAN class="ph">Share</SPAN>. The headers that are returned are defined in a configuration section called<SPAN>&nbsp;</SPAN>SecurityHeadersPolicy<SPAN>&nbsp;</SPAN>in<SPAN>&nbsp;</SPAN>alfresco-security-config.xml.</P><DIV class="p">Three headers are added by default;<SPAN>&nbsp;</SPAN>X-Frame-Options,<SPAN>&nbsp;</SPAN>X-Content-Type-Options<SPAN>&nbsp;</SPAN>and<SPAN>&nbsp;</SPAN>X-XSS-Protection:<PRE><SPAN class="tag">&lt;config</SPAN> <SPAN class="atn">evaluator</SPAN><SPAN class="pun">=</SPAN><SPAN class="atv">"string-compare"</SPAN> <SPAN class="atn">condition</SPAN><SPAN class="pun">=</SPAN><SPAN class="atv">"SecurityHeadersPolicy"</SPAN><SPAN class="tag">&gt;</SPAN> <SPAN class="tag">&lt;headers&gt;</SPAN> <SPAN class="tag">&lt;header&gt;</SPAN> <SPAN class="tag">&lt;name&gt;</SPAN><STRONG><SPAN class="pln">X-Frame-Options</SPAN></STRONG><SPAN class="tag">&lt;/name&gt;</SPAN> <SPAN class="tag">&lt;value&gt;</SPAN><SPAN class="pln">SAMEORIGIN</SPAN><SPAN class="tag">&lt;/value&gt;</SPAN> <SPAN class="tag">&lt;/header&gt;</SPAN> <SPAN class="tag">&lt;header&gt;</SPAN> <SPAN class="tag">&lt;name&gt;</SPAN><STRONG><SPAN class="pln">X-Content-Type-Options</SPAN></STRONG><SPAN class="tag">&lt;/name&gt;</SPAN> <SPAN class="tag">&lt;value&gt;</SPAN><SPAN class="pln">nosniff</SPAN><SPAN class="tag">&lt;/value&gt;</SPAN> <SPAN class="tag">&lt;/header&gt;</SPAN> <SPAN class="tag">&lt;header&gt;</SPAN> <SPAN class="tag">&lt;name&gt;</SPAN><STRONG><SPAN class="pln">X-XSS-Protection</SPAN></STRONG><SPAN class="tag">&lt;/name&gt;</SPAN> <SPAN class="tag">&lt;value&gt;</SPAN><SPAN class="pln">1; mode=block</SPAN><SPAN class="tag">&lt;/value&gt;</SPAN> <SPAN class="tag">&lt;/header&gt;</SPAN> <SPAN class="tag">&lt;/headers&gt;</SPAN> <SPAN class="tag">&lt;/config&gt;</SPAN></PRE></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV><P>&nbsp; &nbsp;2.&nbsp; X-Frame-Options header</P><P class="p">Adding this header to an HTTP response tells the browser whether<SPAN>&nbsp;</SPAN><SPAN class="ph">Share</SPAN><SPAN>&nbsp;</SPAN>pages are permitted inside iframes. In our default configuration we have set this to<SPAN>&nbsp;</SPAN>SAMEORIGIN<SPAN>&nbsp;</SPAN>which means that<SPAN>&nbsp;</SPAN><SPAN class="ph">Share</SPAN><SPAN>&nbsp;</SPAN>pages are only permitted inside iFrames inside<SPAN>&nbsp;</SPAN><SPAN class="ph">Share</SPAN><SPAN>&nbsp;</SPAN>or in other web applications that live under the same domain.&nbsp;</P><DIV class="p">You can override the configuration and set the header to return<SPAN>&nbsp;</SPAN>DENY<SPAN>&nbsp;</SPAN>instead, by placing the following configuration in your<SPAN>&nbsp;</SPAN>share-config-custom.xml<SPAN>&nbsp;</SPAN>file:<PRE><SPAN class="tag">&lt;config</SPAN> <SPAN class="atn">evaluator</SPAN><SPAN class="pun">=</SPAN><SPAN class="atv">"string-compare"</SPAN> <SPAN class="atn">condition</SPAN><SPAN class="pun">=</SPAN><SPAN class="atv">"SecurityHeadersPolicy"</SPAN><SPAN class="tag">&gt;</SPAN> <SPAN class="tag">&lt;headers&gt;</SPAN> <SPAN class="tag">&lt;header&gt;</SPAN> <SPAN class="tag">&lt;name&gt;</SPAN><SPAN class="pln">X-Frame-Options</SPAN><SPAN class="tag">&lt;/name&gt;</SPAN> <SPAN class="tag">&lt;value&gt;</SPAN><STRONG><SPAN class="pln">DENY</SPAN></STRONG><SPAN class="tag">&lt;/value&gt;</SPAN> <SPAN class="tag">&lt;/header&gt;</SPAN> <SPAN class="tag">&lt;/headers&gt;</SPAN> <SPAN class="tag">&lt;/config&gt;<BR /></SPAN></PRE><DIV class="section">&nbsp;<P>Can any one suggest which one will be the perfect solution for the same.</P><P>Currently we are planning to go with solution no 2(<FONT size="3">X-Frame-Options header</FONT>)</P></DIV></DIV> Thu, 11 Jun 2020 08:29:19 GMT Mohammadsherani 2020-06-11T08:29:19Z https://connect.hyland.com/t5/alfresco-forum/http-security-headers-not-detected/m-p/5170#M2513 <P>Hi All,</P><P>We are using ACS 5.2.6 with windows os.</P><P>We have recieved the security vulnerability titled:- HTTP security headers not detected.</P><P>And for the same we have two solution:-</P><P>&nbsp;1. Security filters and clickjacking mitigation</P><DIV class="region region-content"><DIV class="node node-documentation-page node-promoted clearfix"><DIV class="content"><DIV class="field field-name-body field-type-text-with-summary field-label-hidden"><DIV class="field-items"><DIV class="field-item even"><DIV class="body conbody"><DIV class="abstract"><SPAN class="shortdesc">You can configure a security filter,<SPAN>&nbsp;</SPAN>SecurityHeadersPolicy, that mitigates clickjacking attacks in<SPAN>&nbsp;</SPAN><SPAN class="ph">Alfresco Share</SPAN>.</SPAN></DIV><P class="p">SecurityHeadersPolicy<SPAN>&nbsp;</SPAN>is a Java Servlet filter that applies HTTP response headers to incoming requests in<SPAN>&nbsp;</SPAN><SPAN class="ph">Share</SPAN>. The headers that are returned are defined in a configuration section called<SPAN>&nbsp;</SPAN>SecurityHeadersPolicy<SPAN>&nbsp;</SPAN>in<SPAN>&nbsp;</SPAN>alfresco-security-config.xml.</P><DIV class="p">Three headers are added by default;<SPAN>&nbsp;</SPAN>X-Frame-Options,<SPAN>&nbsp;</SPAN>X-Content-Type-Options<SPAN>&nbsp;</SPAN>and<SPAN>&nbsp;</SPAN>X-XSS-Protection:<PRE><SPAN class="tag">&lt;config</SPAN> <SPAN class="atn">evaluator</SPAN><SPAN class="pun">=</SPAN><SPAN class="atv">"string-compare"</SPAN> <SPAN class="atn">condition</SPAN><SPAN class="pun">=</SPAN><SPAN class="atv">"SecurityHeadersPolicy"</SPAN><SPAN class="tag">&gt;</SPAN> <SPAN class="tag">&lt;headers&gt;</SPAN> <SPAN class="tag">&lt;header&gt;</SPAN> <SPAN class="tag">&lt;name&gt;</SPAN><STRONG><SPAN class="pln">X-Frame-Options</SPAN></STRONG><SPAN class="tag">&lt;/name&gt;</SPAN> <SPAN class="tag">&lt;value&gt;</SPAN><SPAN class="pln">SAMEORIGIN</SPAN><SPAN class="tag">&lt;/value&gt;</SPAN> <SPAN class="tag">&lt;/header&gt;</SPAN> <SPAN class="tag">&lt;header&gt;</SPAN> <SPAN class="tag">&lt;name&gt;</SPAN><STRONG><SPAN class="pln">X-Content-Type-Options</SPAN></STRONG><SPAN class="tag">&lt;/name&gt;</SPAN> <SPAN class="tag">&lt;value&gt;</SPAN><SPAN class="pln">nosniff</SPAN><SPAN class="tag">&lt;/value&gt;</SPAN> <SPAN class="tag">&lt;/header&gt;</SPAN> <SPAN class="tag">&lt;header&gt;</SPAN> <SPAN class="tag">&lt;name&gt;</SPAN><STRONG><SPAN class="pln">X-XSS-Protection</SPAN></STRONG><SPAN class="tag">&lt;/name&gt;</SPAN> <SPAN class="tag">&lt;value&gt;</SPAN><SPAN class="pln">1; mode=block</SPAN><SPAN class="tag">&lt;/value&gt;</SPAN> <SPAN class="tag">&lt;/header&gt;</SPAN> <SPAN class="tag">&lt;/headers&gt;</SPAN> <SPAN class="tag">&lt;/config&gt;</SPAN></PRE></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV><P>&nbsp; &nbsp;2.&nbsp; X-Frame-Options header</P><P class="p">Adding this header to an HTTP response tells the browser whether<SPAN>&nbsp;</SPAN><SPAN class="ph">Share</SPAN><SPAN>&nbsp;</SPAN>pages are permitted inside iframes. In our default configuration we have set this to<SPAN>&nbsp;</SPAN>SAMEORIGIN<SPAN>&nbsp;</SPAN>which means that<SPAN>&nbsp;</SPAN><SPAN class="ph">Share</SPAN><SPAN>&nbsp;</SPAN>pages are only permitted inside iFrames inside<SPAN>&nbsp;</SPAN><SPAN class="ph">Share</SPAN><SPAN>&nbsp;</SPAN>or in other web applications that live under the same domain.&nbsp;</P><DIV class="p">You can override the configuration and set the header to return<SPAN>&nbsp;</SPAN>DENY<SPAN>&nbsp;</SPAN>instead, by placing the following configuration in your<SPAN>&nbsp;</SPAN>share-config-custom.xml<SPAN>&nbsp;</SPAN>file:<PRE><SPAN class="tag">&lt;config</SPAN> <SPAN class="atn">evaluator</SPAN><SPAN class="pun">=</SPAN><SPAN class="atv">"string-compare"</SPAN> <SPAN class="atn">condition</SPAN><SPAN class="pun">=</SPAN><SPAN class="atv">"SecurityHeadersPolicy"</SPAN><SPAN class="tag">&gt;</SPAN> <SPAN class="tag">&lt;headers&gt;</SPAN> <SPAN class="tag">&lt;header&gt;</SPAN> <SPAN class="tag">&lt;name&gt;</SPAN><SPAN class="pln">X-Frame-Options</SPAN><SPAN class="tag">&lt;/name&gt;</SPAN> <SPAN class="tag">&lt;value&gt;</SPAN><STRONG><SPAN class="pln">DENY</SPAN></STRONG><SPAN class="tag">&lt;/value&gt;</SPAN> <SPAN class="tag">&lt;/header&gt;</SPAN> <SPAN class="tag">&lt;/headers&gt;</SPAN> <SPAN class="tag">&lt;/config&gt;<BR /></SPAN></PRE><DIV class="section">&nbsp;<P>Can any one suggest which one will be the perfect solution for the same.</P><P>Currently we are planning to go with solution no 2(<FONT size="3">X-Frame-Options header</FONT>)</P></DIV></DIV> Thu, 11 Jun 2020 08:29:19 GMT https://connect.hyland.com/t5/alfresco-forum/http-security-headers-not-detected/m-p/5170#M2513 Mohammadsherani 2020-06-11T08:29:19Z https://connect.hyland.com/t5/alfresco-forum/http-security-headers-not-detected/m-p/5171#M2514 <P>Hi&nbsp;<A href="https://migration33.stage.lithium.com/t5/user/viewprofilepage/user-id/81429">@Mohammadsherani</A>,</P> <P>As I customer I advise you to raise a ticket through the customer support portal.</P> <P>HTH,&nbsp;</P> Mon, 15 Jun 2020 12:20:24 GMT https://connect.hyland.com/t5/alfresco-forum/http-security-headers-not-detected/m-p/5171#M2514 EddieMay 2020-06-15T12:20:24Z