Unknown macro: {next_previous_link3}
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

This section explains how to minimize the security threats to the Jaggery applications that are hosted within your WSO2 DAS pack. This is achieved via headers that can be embedded in the HTTP responses of these applications.

To apply the basic security headers required to secure Jaggery applications, update the <DAS_HOME>/repository/deployment/server/jaggeryapps/<app-name>/jaggery.conf file as shown in the steps below.

Note the following about the configurations below:

  • These configurations enable the Strict-Transport-Security: max-age=15768000; includeSubDomains header for additional security. This header prevents any communication over HTTP from taking place for the number of milliseconds specified via the max-age parameter, starting from the time the latest response with the aforementioned header was received.
  • Enabling these headers in a developer environment may cause some inconvenience. This happens when some browsers do not forget the preference of that domain unrtil the time specified via the max-age parameter has elapsed, even when the browser cache is cleared.Therefore, it is recommended to enable these headers in only the production and staging environments.

These headers are required for the production and staging environments for additional security.


For development environments:

  1. Add the two filters named HttpHeaderSecurityFilter and ContentTypeBasedCachePreventionFilter in the "filters": [] section as shown below. 

    "filters":[
  {
    "name":"HttpHeaderSecurityFilter",
    "class":"org.apache.catalina.filters.HttpHeaderSecurityFilter",
    "params" : [
        {"name" : "hstsEnabled", "value" : "false"},
                    { "name": "antiClickJackingOption", "value": "SAMEORIGIN" }
 	     ]
  },
  {
    "name": "ContentTypeBasedCachePreventionFilter",
    "class": "org.wso2.carbon.ui.filters.cache.ContentTypeBasedCachePreventionFilter",
    "params":[
      {"name": "patterns", "value": "text/html\" ,application/json\" ,plain/text"},
      {"name": "filterAction", "value": "enforce"},
      {"name": "httpHeaders", "value": "Cache-Control: no-store, no-cache, must-revalidate, private"}
    ]
  }
],

  2. Add the filter mappings for the two filters you added. These two filter mapping configurations need to be added in the "filterMappings":[] as shown below.

    "filterMappings":[
  {
    "name":"HttpHeaderSecurityFilter", 
    "url":"*"
  },
  {
    "name": "ContentTypeBasedCachePreventionFilter",
    "url": "*"
  }
]
  3. Save your changes.

For production environments:

  1. Add the two filters named HttpHeaderSecurityFilter and ContentTypeBasedCachePreventionFilter in the "filters": [] section as shown below. 

    "filters": [
    {
        "name": "HttpHeaderSecurityFilter",
        "class": "org.apache.catalina.filters.HttpHeaderSecurityFilter",
        "params": [
	  {"name": "hstsMaxAgeSeconds",  "value": "15768000"},
              { "name": "antiClickJackingOption", "value": "SAMEORIGIN" }
        ]
     },
     {
        "name": "ContentTypeBasedCachePreventionFilter",
        "class": "org.wso2.carbon.ui.filters.cache.ContentTypeBasedCachePreventionFilter",
        "params":  [
	{ "name": "patterns", "value": "text/html\" ,application/json\" ,plain/text" },
	{ "name": "filterAction", "value": "enforce"},
	{ "name": "httpHeaders", "value": "Cache-Control: no-store, no-cache, must-revalidate, private" }
        ]
    }
],

  2. Add the filter mappings for the two filters you added. These two filter mapping configurations need to be added in the "filterMappings":[] as shown below.

    "filterMappings": [
    { "name": "HttpHeaderSecurityFilter", "url": "*" },
    { "name": "ContentTypeBasedCachePreventionFilter", "url": "*"}
]
  3. Save your changes.
  • No labels
Unknown macro: {next_previous_links2}