[jira] [Commented] (KNOX-1028) X-Frame-Options and other security headers are ineffective

Fri, 08 Sep 2017 08:16:22 -0700 

    [ 
https://issues.apache.org/jira/browse/KNOX-1028?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16158777#comment-16158777
 ] 

ASF subversion and git services commented on KNOX-1028:
-------------------------------------------------------

Commit 5f413f35eb9fd67f67ff031d5b0b15af534d54e6 in knox's branch 
refs/heads/KNOX-998-Package_Restructuring from [~lmccay]
[ https://git-wip-us.apache.org/repos/asf?p=knox.git;h=5f413f3 ]

KNOX-1028 - X-Frame-Options and other security headers are ineffective

> X-Frame-Options and other security headers are ineffective
> ----------------------------------------------------------
>
>                 Key: KNOX-1028
>                 URL: https://issues.apache.org/jira/browse/KNOX-1028
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: Site
>    Affects Versions: 0.13.0, 0.14.0
>            Reporter: Krishna Pandey
>            Priority: Critical
>             Fix For: 0.14.0
>
>         Attachments: csrf enforcement.png, Screen Shot 2017-09-07 at 10.31.20 
> PM.png, with xframe.options.enabled.png
>
>
> When xframe-options.enabled param is set to true in WebAppSec provider, the 
> same is not reflecting in HTTP response header. See attached screenshot here.
>  !Screen Shot 2017-09-07 at 10.31.20 PM.png|width=70%!. 
> Also X-XSRF-Header param is not effective and curl calls without 
> X-XSRF-Header are also passing through. e.g.
>  
> {code:java}
> $ curl -iku admin:admin-password 
> https://localhost:8443/gateway/admin/api/v1/version
> HTTP/1.1 200 OK
> Date: Thu, 07 Sep 2017 16:57:27 GMT
> Set-Cookie: 
> JSESSIONID=169y7xds1o2ga3mvrbtly6t77;Path=/gateway/admin;Secure;HttpOnly
> Expires: Thu, 01 Jan 1970 00:00:00 GMT
> Set-Cookie: rememberMe=deleteMe; Path=/gateway/admin; Max-Age=0; Expires=Wed, 
> 06-Sep-2017 16:57:27 GMT
> Content-Type: application/xml
> Content-Length: 167
> Server: Jetty(9.2.15.v20160210)
> <?xml version="1.0" encoding="UTF-8"?>
> <ServerVersion>
>    <version>0.14.0-SNAPSHOT</version>
>    <hash>6657f2fd9f52c8303fc9a2d1d72eef38be719288</hash>
> </ServerVersion>
> {code}
> Related topology config
> {noformat}
>               <provider>
>                       <role>webappsec</role>
>                       <name>WebAppSec</name>
>                       <enabled>true</enabled>
>                       <param>
>                               <name>csrf.enabled</name>
>                               <value>true</value>
>                       </param>
>                       <param>
>                               <name>csrf.customHeader</name>
>                               <value>X-XSRF-Header</value>
>                       </param>
>                       <param>
>                               <name>csrf.methodsToIgnore</name>
>                               <value>GET,OPTIONS,HEAD</value>
>                       </param>
>                       <param>
>                               <name>cors.enabled</name>
>                               <value>true</value>
>                       </param>
>                       <param>
>                               <name>xframe-options.enabled</name>
>                               <value>true</value>
>                       </param>
>               </provider>
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to