https://connect.hyland.com/t5/alfresco-forum/security-vulnerablity-http-secuirty-headers-not-detected/m-p/86781#M26209 <P>Hi All,</P><P>We are using ACS 5.2.6 with Windows OS.</P><P>We have recieved the security vulnerablity (http secuirty headers not detected. And for that we have two solution which are given below:-</P><P><FONT size="7">1.</FONT></P><P>Security filters and clickjacking mitigation</P><DIV class="region region-content"><DIV class="node node-documentation-page node-promoted clearfix"><DIV class="content"><DIV class="field field-name-body field-type-text-with-summary field-label-hidden"><DIV class="field-items"><DIV class="field-item even"><DIV class="body conbody"><DIV class="abstract"><SPAN class="shortdesc">You can configure a security filter,<SPAN>&nbsp;</SPAN>SecurityHeadersPolicy, that mitigates clickjacking attacks in<SPAN>&nbsp;</SPAN><SPAN class="ph">Alfresco Share</SPAN>.</SPAN></DIV><P class="p">SecurityHeadersPolicy<SPAN>&nbsp;</SPAN>is a Java Servlet filter that applies HTTP response headers to incoming requests in<SPAN>&nbsp;</SPAN><SPAN class="ph">Share</SPAN>. The headers that are returned are defined in a configuration section called<SPAN>&nbsp;</SPAN>SecurityHeadersPolicy<SPAN>&nbsp;</SPAN>in<SPAN>&nbsp;</SPAN>alfresco-security-config.xml.</P><DIV class="p">Three headers are added by default;<SPAN>&nbsp;</SPAN>X-Frame-Options,<SPAN>&nbsp;</SPAN>X-Content-Type-Options<SPAN>&nbsp;</SPAN>and<SPAN>&nbsp;</SPAN>X-XSS-Protection:<PRE><SPAN class="tag">&lt;config</SPAN> <SPAN class="atn">evaluator</SPAN><SPAN class="pun">=</SPAN><SPAN class="atv">"string-compare"</SPAN> <SPAN class="atn">condition</SPAN><SPAN class="pun">=</SPAN><SPAN class="atv">"SecurityHeadersPolicy"</SPAN><SPAN class="tag">&gt;</SPAN> <SPAN class="tag">&lt;headers&gt;</SPAN> <SPAN class="tag">&lt;header&gt;</SPAN> <SPAN class="tag">&lt;name&gt;</SPAN><STRONG><SPAN class="pln">X-Frame-Options</SPAN></STRONG><SPAN class="tag">&lt;/name&gt;</SPAN> <SPAN class="tag">&lt;value&gt;</SPAN><SPAN class="pln">SAMEORIGIN</SPAN><SPAN class="tag">&lt;/value&gt;</SPAN> <SPAN class="tag">&lt;/header&gt;</SPAN> <SPAN class="tag">&lt;header&gt;</SPAN> <SPAN class="tag">&lt;name&gt;</SPAN><STRONG><SPAN class="pln">X-Content-Type-Options</SPAN></STRONG><SPAN class="tag">&lt;/name&gt;</SPAN> <SPAN class="tag">&lt;value&gt;</SPAN><SPAN class="pln">nosniff</SPAN><SPAN class="tag">&lt;/value&gt;</SPAN> <SPAN class="tag">&lt;/header&gt;</SPAN> <SPAN class="tag">&lt;header&gt;</SPAN> <SPAN class="tag">&lt;name&gt;</SPAN><STRONG><SPAN class="pln">X-XSS-Protection</SPAN></STRONG><SPAN class="tag">&lt;/name&gt;</SPAN> <SPAN class="tag">&lt;value&gt;</SPAN><SPAN class="pln">1; mode=block</SPAN><SPAN class="tag">&lt;/value&gt;</SPAN> <SPAN class="tag">&lt;/header&gt;</SPAN> <SPAN class="tag">&lt;/headers&gt;</SPAN> <SPAN class="tag">&lt;/config&gt;<BR /><BR /></SPAN></PRE><FONT size="7">2.</FONT> X-Frame-Options header<P class="p">Adding this header to an HTTP response tells the browser whether<SPAN>&nbsp;</SPAN><SPAN class="ph">Share</SPAN><SPAN>&nbsp;</SPAN>pages are permitted inside iframes. In our default configuration we have set this to<SPAN>&nbsp;</SPAN>SAMEORIGIN<SPAN>&nbsp;</SPAN>which means that<SPAN>&nbsp;</SPAN><SPAN class="ph">Share</SPAN><SPAN>&nbsp;</SPAN>pages are only permitted inside iFrames inside<SPAN>&nbsp;</SPAN><SPAN class="ph">Share</SPAN><SPAN>&nbsp;</SPAN>or in other web applications that live under the same domain.&nbsp;</P><DIV class="p">You can override the configuration and set the header to return<SPAN>&nbsp;</SPAN>DENY<SPAN>&nbsp;</SPAN>instead, by placing the following configuration in your<SPAN>&nbsp;</SPAN>share-config-custom.xml<SPAN>&nbsp;</SPAN>file:<PRE><SPAN class="tag">&lt;config</SPAN> <SPAN class="atn">evaluator</SPAN><SPAN class="pun">=</SPAN><SPAN class="atv">"string-compare"</SPAN> <SPAN class="atn">condition</SPAN><SPAN class="pun">=</SPAN><SPAN class="atv">"SecurityHeadersPolicy"</SPAN><SPAN class="tag">&gt;</SPAN> <SPAN class="tag">&lt;headers&gt;</SPAN> <SPAN class="tag">&lt;header&gt;</SPAN> <SPAN class="tag">&lt;name&gt;</SPAN><SPAN class="pln">X-Frame-Options</SPAN><SPAN class="tag">&lt;/name&gt;</SPAN> <SPAN class="tag">&lt;value&gt;</SPAN><STRONG><SPAN class="pln">DENY</SPAN></STRONG><SPAN class="tag">&lt;/value&gt;</SPAN> <SPAN class="tag">&lt;/header&gt;</SPAN> <SPAN class="tag">&lt;/headers&gt;</SPAN> <SPAN class="tag">&lt;/config&gt;<BR /><BR /></SPAN></PRE><DIV class="section">&nbsp;<P><SPAN>Could you please suggest here which one will be the perfect solution.</SPAN><BR /><BR /><SPAN>Currently we are planning to go with no.2.</SPAN><BR /><SPAN>If any one is thinking about the no 1 please share the exact location of </SPAN><STRONG>alfresco-security-config.xml</STRONG><SPAN>.</SPAN><BR /><BR /><SPAN>have any one implemented the same earlier?</SPAN></P></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV> Wed, 10 Jun 2020 12:53:03 GMT Mohammadsherani 2020-06-10T12:53:03Z https://connect.hyland.com/t5/alfresco-forum/security-vulnerablity-http-secuirty-headers-not-detected/m-p/86781#M26209 <P>Hi All,</P><P>We are using ACS 5.2.6 with Windows OS.</P><P>We have recieved the security vulnerablity (http secuirty headers not detected. And for that we have two solution which are given below:-</P><P><FONT size="7">1.</FONT></P><P>Security filters and clickjacking mitigation</P><DIV class="region region-content"><DIV class="node node-documentation-page node-promoted clearfix"><DIV class="content"><DIV class="field field-name-body field-type-text-with-summary field-label-hidden"><DIV class="field-items"><DIV class="field-item even"><DIV class="body conbody"><DIV class="abstract"><SPAN class="shortdesc">You can configure a security filter,<SPAN>&nbsp;</SPAN>SecurityHeadersPolicy, that mitigates clickjacking attacks in<SPAN>&nbsp;</SPAN><SPAN class="ph">Alfresco Share</SPAN>.</SPAN></DIV><P class="p">SecurityHeadersPolicy<SPAN>&nbsp;</SPAN>is a Java Servlet filter that applies HTTP response headers to incoming requests in<SPAN>&nbsp;</SPAN><SPAN class="ph">Share</SPAN>. The headers that are returned are defined in a configuration section called<SPAN>&nbsp;</SPAN>SecurityHeadersPolicy<SPAN>&nbsp;</SPAN>in<SPAN>&nbsp;</SPAN>alfresco-security-config.xml.</P><DIV class="p">Three headers are added by default;<SPAN>&nbsp;</SPAN>X-Frame-Options,<SPAN>&nbsp;</SPAN>X-Content-Type-Options<SPAN>&nbsp;</SPAN>and<SPAN>&nbsp;</SPAN>X-XSS-Protection:<PRE><SPAN class="tag">&lt;config</SPAN> <SPAN class="atn">evaluator</SPAN><SPAN class="pun">=</SPAN><SPAN class="atv">"string-compare"</SPAN> <SPAN class="atn">condition</SPAN><SPAN class="pun">=</SPAN><SPAN class="atv">"SecurityHeadersPolicy"</SPAN><SPAN class="tag">&gt;</SPAN> <SPAN class="tag">&lt;headers&gt;</SPAN> <SPAN class="tag">&lt;header&gt;</SPAN> <SPAN class="tag">&lt;name&gt;</SPAN><STRONG><SPAN class="pln">X-Frame-Options</SPAN></STRONG><SPAN class="tag">&lt;/name&gt;</SPAN> <SPAN class="tag">&lt;value&gt;</SPAN><SPAN class="pln">SAMEORIGIN</SPAN><SPAN class="tag">&lt;/value&gt;</SPAN> <SPAN class="tag">&lt;/header&gt;</SPAN> <SPAN class="tag">&lt;header&gt;</SPAN> <SPAN class="tag">&lt;name&gt;</SPAN><STRONG><SPAN class="pln">X-Content-Type-Options</SPAN></STRONG><SPAN class="tag">&lt;/name&gt;</SPAN> <SPAN class="tag">&lt;value&gt;</SPAN><SPAN class="pln">nosniff</SPAN><SPAN class="tag">&lt;/value&gt;</SPAN> <SPAN class="tag">&lt;/header&gt;</SPAN> <SPAN class="tag">&lt;header&gt;</SPAN> <SPAN class="tag">&lt;name&gt;</SPAN><STRONG><SPAN class="pln">X-XSS-Protection</SPAN></STRONG><SPAN class="tag">&lt;/name&gt;</SPAN> <SPAN class="tag">&lt;value&gt;</SPAN><SPAN class="pln">1; mode=block</SPAN><SPAN class="tag">&lt;/value&gt;</SPAN> <SPAN class="tag">&lt;/header&gt;</SPAN> <SPAN class="tag">&lt;/headers&gt;</SPAN> <SPAN class="tag">&lt;/config&gt;<BR /><BR /></SPAN></PRE><FONT size="7">2.</FONT> X-Frame-Options header<P class="p">Adding this header to an HTTP response tells the browser whether<SPAN>&nbsp;</SPAN><SPAN class="ph">Share</SPAN><SPAN>&nbsp;</SPAN>pages are permitted inside iframes. In our default configuration we have set this to<SPAN>&nbsp;</SPAN>SAMEORIGIN<SPAN>&nbsp;</SPAN>which means that<SPAN>&nbsp;</SPAN><SPAN class="ph">Share</SPAN><SPAN>&nbsp;</SPAN>pages are only permitted inside iFrames inside<SPAN>&nbsp;</SPAN><SPAN class="ph">Share</SPAN><SPAN>&nbsp;</SPAN>or in other web applications that live under the same domain.&nbsp;</P><DIV class="p">You can override the configuration and set the header to return<SPAN>&nbsp;</SPAN>DENY<SPAN>&nbsp;</SPAN>instead, by placing the following configuration in your<SPAN>&nbsp;</SPAN>share-config-custom.xml<SPAN>&nbsp;</SPAN>file:<PRE><SPAN class="tag">&lt;config</SPAN> <SPAN class="atn">evaluator</SPAN><SPAN class="pun">=</SPAN><SPAN class="atv">"string-compare"</SPAN> <SPAN class="atn">condition</SPAN><SPAN class="pun">=</SPAN><SPAN class="atv">"SecurityHeadersPolicy"</SPAN><SPAN class="tag">&gt;</SPAN> <SPAN class="tag">&lt;headers&gt;</SPAN> <SPAN class="tag">&lt;header&gt;</SPAN> <SPAN class="tag">&lt;name&gt;</SPAN><SPAN class="pln">X-Frame-Options</SPAN><SPAN class="tag">&lt;/name&gt;</SPAN> <SPAN class="tag">&lt;value&gt;</SPAN><STRONG><SPAN class="pln">DENY</SPAN></STRONG><SPAN class="tag">&lt;/value&gt;</SPAN> <SPAN class="tag">&lt;/header&gt;</SPAN> <SPAN class="tag">&lt;/headers&gt;</SPAN> <SPAN class="tag">&lt;/config&gt;<BR /><BR /></SPAN></PRE><DIV class="section">&nbsp;<P><SPAN>Could you please suggest here which one will be the perfect solution.</SPAN><BR /><BR /><SPAN>Currently we are planning to go with no.2.</SPAN><BR /><SPAN>If any one is thinking about the no 1 please share the exact location of </SPAN><STRONG>alfresco-security-config.xml</STRONG><SPAN>.</SPAN><BR /><BR /><SPAN>have any one implemented the same earlier?</SPAN></P></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV> Wed, 10 Jun 2020 12:53:03 GMT https://connect.hyland.com/t5/alfresco-forum/security-vulnerablity-http-secuirty-headers-not-detected/m-p/86781#M26209 Mohammadsherani 2020-06-10T12:53:03Z