This section explains how to minimize the security threats to the Jaggery applications that are hosted within your WSO2 DAS pack. This is achieved via headers that can be embedded in the HTTP responses of these applications.
Table of Contents | ||||
---|---|---|---|---|
|
Available headers
The following is a list of headers that need to be enabled to enhance the security aspects of Jaggery Applications.
Header | Purpose |
---|---|
X-XSS-Protection: 1; mode=block | This enables reflected XSS protection in supported web browsers. |
X-Content-Type-Options: nosniff | This disables mime sniffing that can result in reflected or stored XSS in certain browsers. |
Cache-Control: no-store, no-cache, must-revalidate, private | This prevents sensitive information from being cached in web browsers, proxies and other intermediate network devices. |
In addition, the following are headers that need to be enabled based on the requirement of the application. These headers can be customized based on the URL pattern.
Header | Purpose |
---|---|
X-Frame-Options: DENY | This disables embedding Jaggery apps in iframes or frames. |
X-Frame-Options: SAMEORIGIN | This allows you to embed Jaggery apps in iframes or frames within the same origin. |
Info |
---|
The |
The following is an optional header to be enabled for the production and staging environments for additional security.
Header | Purpose | ||
---|---|---|---|
Strict-Transport-Security: max-age=15768000; includeSubDomains | This header prevents any communication over HTTP from taking place for the number of milliseconds specified via the
|
Enabling a header
To apply the basic security headers required to secure Jaggery applications, update the <DAS_HOME>/repository/deployment/server/jaggeryapps/<app-name>/jaggery.conf
file as shown in the steps below. These steps demonstrate an example scenario where the HttpHeaderSecurityFilter
and ContentTypeBasedCachePreventionFilter
headers are enabled for both developer and production environments.
For development environments:
Add the two filters named
HttpHeaderSecurityFilter
andContentTypeBasedCachePreventionFilter
in the"filters":
[]
section as shown below.Code Block language js "filters":[ { "name":"HttpHeaderSecurityFilter", "class":"org.apache.catalina.filters.HttpHeaderSecurityFilter", "params" : [ {"name" : "hstsEnabled", "value" : "false"}, { "name": "antiClickJackingOption", "value": "SAMEORIGIN" } ] }, { "name": "ContentTypeBasedCachePreventionFilter", "class": "org.wso2.carbon.ui.filters.cache.ContentTypeBasedCachePreventionFilter", "params":[ {"name": "patterns", "value": "text/html\" ,application/json\" ,plain/text"}, {"name": "filterAction", "value": "enforce"}, {"name": "httpHeaders", "value": "Cache-Control: no-store, no-cache, must-revalidate, private"} ] } ],
Add the filter mappings for the two filters you added. These two filter mapping configurations need to be added in the
"filterMappings":[]
as shown below.Code Block language js "filterMappings":[ { "name":"HttpHeaderSecurityFilter", "url":"*" }, { "name": "ContentTypeBasedCachePreventionFilter", "url": "*" } ]
- Save your changes.
For production environments:
Add the two filters named
HttpHeaderSecurityFilter
andContentTypeBasedCachePreventionFilter
in the"filters":
[]
section as shown below.Code Block language js "filters": [ { "name": "HttpHeaderSecurityFilter", "class": "org.apache.catalina.filters.HttpHeaderSecurityFilter", "params": [ {"name": "hstsMaxAgeSeconds", "value": "15768000"}, { "name": "antiClickJackingOption", "value": "SAMEORIGIN" } ] }, { "name": "ContentTypeBasedCachePreventionFilter", "class": "org.wso2.carbon.ui.filters.cache.ContentTypeBasedCachePreventionFilter", "params": [ { "name": "patterns", "value": "text/html\" ,application/json\" ,plain/text" }, { "name": "filterAction", "value": "enforce"}, { "name": "httpHeaders", "value": "Cache-Control: no-store, no-cache, must-revalidate, private" } ] } ],
Add the filter mappings for the two filters you added. These two filter mapping configurations need to be added in the
"filterMappings":[]
as shown below.Code Block language js "filterMappings": [ { "name": "HttpHeaderSecurityFilter", "url": "*" }, { "name": "ContentTypeBasedCachePreventionFilter", "url": "*"} ]
- Save your changes.
Catering to customizations of Jaggery applications
As mentioned before, some headers can be customized based on the URL pattern.
e.g., To enable X-Frame-Options only for particular page in a Jaggery application, configuration can be done as follows:
Open the
<DAS_HOME>/repository/deployment/server/jaggeryapps/<app-name>/jaggery.conf
file and add a filter as shown below.Code Block language js "filters":[ { "name":"HttpHeaderSecurityFilter", "class":"org.apache.catalina.filters.HttpHeaderSecurityFilter", "params" : [{"name" : "antiClickJackingEnabled", "value" : "false"}] }, { "name":"HttpHeaderSecurityFilter_AntiClickJacking", "class":"org.apache.catalina.filters.HttpHeaderSecurityFilter", "params" : [ {"name" : "hstsEnabled", "value" : "false"}, {"name" : "blockContentTypeSniffingEnabled", "value" : "false"}, {"name" : "xssProtectionEnabled", "value" : "false"} ] } ],
Add a filter mapping as shown below.
Code Block language js "filterMappings":[ { "name":"HttpHeaderSecurityFilter", "url":"*" }, { "name":"HttpHeaderSecurityFilter_AntiClickJacking", "url":"/portal/dashboards/mydashboard" } ]
In the above configuration, the
X-Frame-Options
header is sent only for the/portal/dashboards/mydashboard
page assuming thatmydashboard
is available in the application. Disabling other headers (i.e., other thanX-Frame-Options
) is not required, but doing so enhances performance.- Save the changes.
Info |
---|
For more information about enabling these headers via filters, see Apache Tomcat Documentation. |