[jira] [Commented] (KNOX-1028) X-Frame-Options and other security headers are ineffective
[ https://issues.apache.org/jira/browse/KNOX-1028?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16158777#comment-16158777 ] ASF subversion and git services commented on KNOX-1028: --- Commit 5f413f35eb9fd67f67ff031d5b0b15af534d54e6 in knox's branch refs/heads/KNOX-998-Package_Restructuring from [~lmccay] [ https://git-wip-us.apache.org/repos/asf?p=knox.git;h=5f413f3 ] KNOX-1028 - X-Frame-Options and other security headers are ineffective > X-Frame-Options and other security headers are ineffective > -- > > Key: KNOX-1028 > URL: https://issues.apache.org/jira/browse/KNOX-1028 > Project: Apache Knox > Issue Type: Bug > Components: Site >Affects Versions: 0.13.0, 0.14.0 >Reporter: Krishna Pandey >Priority: Critical > Fix For: 0.14.0 > > Attachments: csrf enforcement.png, Screen Shot 2017-09-07 at 10.31.20 > PM.png, with xframe.options.enabled.png > > > When xframe-options.enabled param is set to true in WebAppSec provider, the > same is not reflecting in HTTP response header. See attached screenshot here. > !Screen Shot 2017-09-07 at 10.31.20 PM.png|width=70%!. > Also X-XSRF-Header param is not effective and curl calls without > X-XSRF-Header are also passing through. e.g. > > {code:java} > $ curl -iku admin:admin-password > https://localhost:8443/gateway/admin/api/v1/version > HTTP/1.1 200 OK > Date: Thu, 07 Sep 2017 16:57:27 GMT > Set-Cookie: > JSESSIONID=169y7xds1o2ga3mvrbtly6t77;Path=/gateway/admin;Secure;HttpOnly > Expires: Thu, 01 Jan 1970 00:00:00 GMT > Set-Cookie: rememberMe=deleteMe; Path=/gateway/admin; Max-Age=0; Expires=Wed, > 06-Sep-2017 16:57:27 GMT > Content-Type: application/xml > Content-Length: 167 > Server: Jetty(9.2.15.v20160210) > > >0.14.0-SNAPSHOT >6657f2fd9f52c8303fc9a2d1d72eef38be719288 > > {code} > Related topology config > {noformat} > > webappsec > WebAppSec > true > > csrf.enabled > true > > > csrf.customHeader > X-XSRF-Header > > > csrf.methodsToIgnore > GET,OPTIONS,HEAD > > > cors.enabled > true > > > xframe-options.enabled > true > > > {noformat} -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (KNOX-1028) X-Frame-Options and other security headers are ineffective
[ https://issues.apache.org/jira/browse/KNOX-1028?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16157883#comment-16157883 ] Krishna Pandey commented on KNOX-1028: -- Thanks [~lmc...@apache.org]. I tested this locally as suggested above and it works like charm. I am able to see the security Headers in force. Indeed this is minor error in documentation nothing much. > X-Frame-Options and other security headers are ineffective > -- > > Key: KNOX-1028 > URL: https://issues.apache.org/jira/browse/KNOX-1028 > Project: Apache Knox > Issue Type: Bug > Components: Site >Affects Versions: 0.13.0, 0.14.0 >Reporter: Krishna Pandey >Priority: Critical > Fix For: 0.14.0 > > Attachments: csrf enforcement.png, Screen Shot 2017-09-07 at 10.31.20 > PM.png, with xframe.options.enabled.png > > > When xframe-options.enabled param is set to true in WebAppSec provider, the > same is not reflecting in HTTP response header. See attached screenshot here. > !Screen Shot 2017-09-07 at 10.31.20 PM.png|width=70%!. > Also X-XSRF-Header param is not effective and curl calls without > X-XSRF-Header are also passing through. e.g. > > {code:java} > $ curl -iku admin:admin-password > https://localhost:8443/gateway/admin/api/v1/version > HTTP/1.1 200 OK > Date: Thu, 07 Sep 2017 16:57:27 GMT > Set-Cookie: > JSESSIONID=169y7xds1o2ga3mvrbtly6t77;Path=/gateway/admin;Secure;HttpOnly > Expires: Thu, 01 Jan 1970 00:00:00 GMT > Set-Cookie: rememberMe=deleteMe; Path=/gateway/admin; Max-Age=0; Expires=Wed, > 06-Sep-2017 16:57:27 GMT > Content-Type: application/xml > Content-Length: 167 > Server: Jetty(9.2.15.v20160210) > > >0.14.0-SNAPSHOT >6657f2fd9f52c8303fc9a2d1d72eef38be719288 > > {code} > Related topology config > {noformat} > > webappsec > WebAppSec > true > > csrf.enabled > true > > > csrf.customHeader > X-XSRF-Header > > > csrf.methodsToIgnore > GET,OPTIONS,HEAD > > > cors.enabled > true > > > xframe-options.enabled > true > > > {noformat} -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (KNOX-1028) X-Frame-Options and other security headers are ineffective
[ https://issues.apache.org/jira/browse/KNOX-1028?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16157764#comment-16157764 ] ASF subversion and git services commented on KNOX-1028: --- Commit 5f413f35eb9fd67f67ff031d5b0b15af534d54e6 in knox's branch refs/heads/master from [~lmccay] [ https://git-wip-us.apache.org/repos/asf?p=knox.git;h=5f413f3 ] KNOX-1028 - X-Frame-Options and other security headers are ineffective > X-Frame-Options and other security headers are ineffective > -- > > Key: KNOX-1028 > URL: https://issues.apache.org/jira/browse/KNOX-1028 > Project: Apache Knox > Issue Type: Bug > Components: Site >Affects Versions: 0.13.0, 0.14.0 >Reporter: Krishna Pandey >Priority: Critical > Fix For: 0.14.0 > > Attachments: csrf enforcement.png, Screen Shot 2017-09-07 at 10.31.20 > PM.png, with xframe.options.enabled.png > > > When xframe-options.enabled param is set to true in WebAppSec provider, the > same is not reflecting in HTTP response header. See attached screenshot here. > !Screen Shot 2017-09-07 at 10.31.20 PM.png|width=70%!. > Also X-XSRF-Header param is not effective and curl calls without > X-XSRF-Header are also passing through. e.g. > > {code:java} > $ curl -iku admin:admin-password > https://localhost:8443/gateway/admin/api/v1/version > HTTP/1.1 200 OK > Date: Thu, 07 Sep 2017 16:57:27 GMT > Set-Cookie: > JSESSIONID=169y7xds1o2ga3mvrbtly6t77;Path=/gateway/admin;Secure;HttpOnly > Expires: Thu, 01 Jan 1970 00:00:00 GMT > Set-Cookie: rememberMe=deleteMe; Path=/gateway/admin; Max-Age=0; Expires=Wed, > 06-Sep-2017 16:57:27 GMT > Content-Type: application/xml > Content-Length: 167 > Server: Jetty(9.2.15.v20160210) > > >0.14.0-SNAPSHOT >6657f2fd9f52c8303fc9a2d1d72eef38be719288 > > {code} > Related topology config > {noformat} > > webappsec > WebAppSec > true > > csrf.enabled > true > > > csrf.customHeader > X-XSRF-Header > > > csrf.methodsToIgnore > GET,OPTIONS,HEAD > > > cors.enabled > true > > > xframe-options.enabled > true > > > {noformat} -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (KNOX-1028) X-Frame-Options and other security headers are ineffective
[ https://issues.apache.org/jira/browse/KNOX-1028?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16157767#comment-16157767 ] Larry McCay commented on KNOX-1028: --- I have also pushed a change to the default manager.xml topology to have the right param name. > X-Frame-Options and other security headers are ineffective > -- > > Key: KNOX-1028 > URL: https://issues.apache.org/jira/browse/KNOX-1028 > Project: Apache Knox > Issue Type: Bug > Components: Site >Affects Versions: 0.13.0, 0.14.0 >Reporter: Krishna Pandey >Priority: Critical > Fix For: 0.14.0 > > Attachments: csrf enforcement.png, Screen Shot 2017-09-07 at 10.31.20 > PM.png, with xframe.options.enabled.png > > > When xframe-options.enabled param is set to true in WebAppSec provider, the > same is not reflecting in HTTP response header. See attached screenshot here. > !Screen Shot 2017-09-07 at 10.31.20 PM.png|width=70%!. > Also X-XSRF-Header param is not effective and curl calls without > X-XSRF-Header are also passing through. e.g. > > {code:java} > $ curl -iku admin:admin-password > https://localhost:8443/gateway/admin/api/v1/version > HTTP/1.1 200 OK > Date: Thu, 07 Sep 2017 16:57:27 GMT > Set-Cookie: > JSESSIONID=169y7xds1o2ga3mvrbtly6t77;Path=/gateway/admin;Secure;HttpOnly > Expires: Thu, 01 Jan 1970 00:00:00 GMT > Set-Cookie: rememberMe=deleteMe; Path=/gateway/admin; Max-Age=0; Expires=Wed, > 06-Sep-2017 16:57:27 GMT > Content-Type: application/xml > Content-Length: 167 > Server: Jetty(9.2.15.v20160210) > > >0.14.0-SNAPSHOT >6657f2fd9f52c8303fc9a2d1d72eef38be719288 > > {code} > Related topology config > {noformat} > > webappsec > WebAppSec > true > > csrf.enabled > true > > > csrf.customHeader > X-XSRF-Header > > > csrf.methodsToIgnore > GET,OPTIONS,HEAD > > > cors.enabled > true > > > xframe-options.enabled > true > > > {noformat} -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (KNOX-1028) X-Frame-Options and other security headers are ineffective
[ https://issues.apache.org/jira/browse/KNOX-1028?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16157754#comment-16157754 ] ASF subversion and git services commented on KNOX-1028: --- Commit 1807654 from [~lmc...@apache.org] [ https://svn.apache.org/r1807654 ] KNOX-1028 - X-Frame-Options and other security headers are ineffective > X-Frame-Options and other security headers are ineffective > -- > > Key: KNOX-1028 > URL: https://issues.apache.org/jira/browse/KNOX-1028 > Project: Apache Knox > Issue Type: Bug > Components: Site >Affects Versions: 0.13.0, 0.14.0 >Reporter: Krishna Pandey >Priority: Critical > Fix For: 0.14.0 > > Attachments: csrf enforcement.png, Screen Shot 2017-09-07 at 10.31.20 > PM.png, with xframe.options.enabled.png > > > When xframe-options.enabled param is set to true in WebAppSec provider, the > same is not reflecting in HTTP response header. See attached screenshot here. > !Screen Shot 2017-09-07 at 10.31.20 PM.png|width=70%!. > Also X-XSRF-Header param is not effective and curl calls without > X-XSRF-Header are also passing through. e.g. > > {code:java} > $ curl -iku admin:admin-password > https://localhost:8443/gateway/admin/api/v1/version > HTTP/1.1 200 OK > Date: Thu, 07 Sep 2017 16:57:27 GMT > Set-Cookie: > JSESSIONID=169y7xds1o2ga3mvrbtly6t77;Path=/gateway/admin;Secure;HttpOnly > Expires: Thu, 01 Jan 1970 00:00:00 GMT > Set-Cookie: rememberMe=deleteMe; Path=/gateway/admin; Max-Age=0; Expires=Wed, > 06-Sep-2017 16:57:27 GMT > Content-Type: application/xml > Content-Length: 167 > Server: Jetty(9.2.15.v20160210) > > >0.14.0-SNAPSHOT >6657f2fd9f52c8303fc9a2d1d72eef38be719288 > > {code} > Related topology config > {noformat} > > webappsec > WebAppSec > true > > csrf.enabled > true > > > csrf.customHeader > X-XSRF-Header > > > csrf.methodsToIgnore > GET,OPTIONS,HEAD > > > cors.enabled > true > > > xframe-options.enabled > true > > > {noformat} -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (KNOX-1028) X-Frame-Options and other security headers are ineffective
[ https://issues.apache.org/jira/browse/KNOX-1028?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16157758#comment-16157758 ] Larry McCay commented on KNOX-1028: --- Updated docs for the proper param names. > X-Frame-Options and other security headers are ineffective > -- > > Key: KNOX-1028 > URL: https://issues.apache.org/jira/browse/KNOX-1028 > Project: Apache Knox > Issue Type: Bug > Components: Site >Affects Versions: 0.13.0, 0.14.0 >Reporter: Krishna Pandey >Priority: Critical > Fix For: 0.14.0 > > Attachments: csrf enforcement.png, Screen Shot 2017-09-07 at 10.31.20 > PM.png, with xframe.options.enabled.png > > > When xframe-options.enabled param is set to true in WebAppSec provider, the > same is not reflecting in HTTP response header. See attached screenshot here. > !Screen Shot 2017-09-07 at 10.31.20 PM.png|width=70%!. > Also X-XSRF-Header param is not effective and curl calls without > X-XSRF-Header are also passing through. e.g. > > {code:java} > $ curl -iku admin:admin-password > https://localhost:8443/gateway/admin/api/v1/version > HTTP/1.1 200 OK > Date: Thu, 07 Sep 2017 16:57:27 GMT > Set-Cookie: > JSESSIONID=169y7xds1o2ga3mvrbtly6t77;Path=/gateway/admin;Secure;HttpOnly > Expires: Thu, 01 Jan 1970 00:00:00 GMT > Set-Cookie: rememberMe=deleteMe; Path=/gateway/admin; Max-Age=0; Expires=Wed, > 06-Sep-2017 16:57:27 GMT > Content-Type: application/xml > Content-Length: 167 > Server: Jetty(9.2.15.v20160210) > > >0.14.0-SNAPSHOT >6657f2fd9f52c8303fc9a2d1d72eef38be719288 > > {code} > Related topology config > {noformat} > > webappsec > WebAppSec > true > > csrf.enabled > true > > > csrf.customHeader > X-XSRF-Header > > > csrf.methodsToIgnore > GET,OPTIONS,HEAD > > > cors.enabled > true > > > xframe-options.enabled > true > > > {noformat} -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (KNOX-1028) X-Frame-Options and other security headers are ineffective
[ https://issues.apache.org/jira/browse/KNOX-1028?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16157730#comment-16157730 ] Larry McCay commented on KNOX-1028: --- Wow - lots of pictures in this JIRA. Not sure I like that. :) I have changed this to a Site bug for now to correct the documentation with the wrong xframe.options.enabled param. > X-Frame-Options and other security headers are ineffective > -- > > Key: KNOX-1028 > URL: https://issues.apache.org/jira/browse/KNOX-1028 > Project: Apache Knox > Issue Type: Bug > Components: Site >Affects Versions: 0.13.0, 0.14.0 >Reporter: Krishna Pandey >Priority: Critical > Fix For: 0.14.0 > > Attachments: csrf enforcement.png, Screen Shot 2017-09-07 at 10.31.20 > PM.png, with xframe.options.enabled.png > > > When xframe-options.enabled param is set to true in WebAppSec provider, the > same is not reflecting in HTTP response header. See attached screenshot here. > !Screen Shot 2017-09-07 at 10.31.20 PM.png|width=70%!. > Also X-XSRF-Header param is not effective and curl calls without > X-XSRF-Header are also passing through. e.g. > > {code:java} > $ curl -iku admin:admin-password > https://localhost:8443/gateway/admin/api/v1/version > HTTP/1.1 200 OK > Date: Thu, 07 Sep 2017 16:57:27 GMT > Set-Cookie: > JSESSIONID=169y7xds1o2ga3mvrbtly6t77;Path=/gateway/admin;Secure;HttpOnly > Expires: Thu, 01 Jan 1970 00:00:00 GMT > Set-Cookie: rememberMe=deleteMe; Path=/gateway/admin; Max-Age=0; Expires=Wed, > 06-Sep-2017 16:57:27 GMT > Content-Type: application/xml > Content-Length: 167 > Server: Jetty(9.2.15.v20160210) > > >0.14.0-SNAPSHOT >6657f2fd9f52c8303fc9a2d1d72eef38be719288 > > {code} > Related topology config > {noformat} > > webappsec > WebAppSec > true > > csrf.enabled > true > > > csrf.customHeader > X-XSRF-Header > > > csrf.methodsToIgnore > GET,OPTIONS,HEAD > > > cors.enabled > true > > > xframe-options.enabled > true > > > {noformat} -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (KNOX-1028) X-Frame-Options and other security headers are ineffective
[ https://issues.apache.org/jira/browse/KNOX-1028?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16157727#comment-16157727 ] Larry McCay commented on KNOX-1028: --- Turns out there are a couple things going on here: 1. X-Frame-Options enablement property should actually be xframe.options.enabled instead of xframe-options.enabled. When using the proper property name the header is sent as expected. See screen shot. !with xframe.options.enabled.png! 2. GET methods are configured to be ignored for CSRF - and rightly so. If you change the methodsToIgnore property the enforcement can be seen. See this screen shot. !csrf enforcement.png! > X-Frame-Options and other security headers are ineffective > -- > > Key: KNOX-1028 > URL: https://issues.apache.org/jira/browse/KNOX-1028 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 0.13.0, 0.14.0 >Reporter: Krishna Pandey >Priority: Critical > Fix For: 0.14.0 > > Attachments: csrf enforcement.png, Screen Shot 2017-09-07 at 10.31.20 > PM.png, with xframe.options.enabled.png > > > When xframe-options.enabled param is set to true in WebAppSec provider, the > same is not reflecting in HTTP response header. See attached screenshot here. > !Screen Shot 2017-09-07 at 10.31.20 PM.png|width=70%!. > Also X-XSRF-Header param is not effective and curl calls without > X-XSRF-Header are also passing through. e.g. > > {code:java} > $ curl -iku admin:admin-password > https://localhost:8443/gateway/admin/api/v1/version > HTTP/1.1 200 OK > Date: Thu, 07 Sep 2017 16:57:27 GMT > Set-Cookie: > JSESSIONID=169y7xds1o2ga3mvrbtly6t77;Path=/gateway/admin;Secure;HttpOnly > Expires: Thu, 01 Jan 1970 00:00:00 GMT > Set-Cookie: rememberMe=deleteMe; Path=/gateway/admin; Max-Age=0; Expires=Wed, > 06-Sep-2017 16:57:27 GMT > Content-Type: application/xml > Content-Length: 167 > Server: Jetty(9.2.15.v20160210) > > >0.14.0-SNAPSHOT >6657f2fd9f52c8303fc9a2d1d72eef38be719288 > > {code} > Related topology config > {noformat} > > webappsec > WebAppSec > true > > csrf.enabled > true > > > csrf.customHeader > X-XSRF-Header > > > csrf.methodsToIgnore > GET,OPTIONS,HEAD > > > cors.enabled > true > > > xframe-options.enabled > true > > > {noformat} -- This message was sent by Atlassian JIRA (v6.4.14#64029)