[jira] [Commented] (KNOX-1028) X-Frame-Options and other security headers are ineffective
[
https://issues.apache.org/jira/browse/KNOX-1028?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16158777#comment-16158777
]
ASF subversion and git services commented on KNOX-1028:
---
Commit 5f413f35eb9fd67f67ff031d5b0b15af534d54e6 in knox's branch
refs/heads/KNOX-998-Package_Restructuring from [~lmccay]
[ https://git-wip-us.apache.org/repos/asf?p=knox.git;h=5f413f3 ]
KNOX-1028 - X-Frame-Options and other security headers are ineffective
> X-Frame-Options and other security headers are ineffective
> --
>
> Key: KNOX-1028
> URL: https://issues.apache.org/jira/browse/KNOX-1028
> Project: Apache Knox
> Issue Type: Bug
> Components: Site
>Affects Versions: 0.13.0, 0.14.0
>Reporter: Krishna Pandey
>Priority: Critical
> Fix For: 0.14.0
>
> Attachments: csrf enforcement.png, Screen Shot 2017-09-07 at 10.31.20
> PM.png, with xframe.options.enabled.png
>
>
> When xframe-options.enabled param is set to true in WebAppSec provider, the
> same is not reflecting in HTTP response header. See attached screenshot here.
> !Screen Shot 2017-09-07 at 10.31.20 PM.png|width=70%!.
> Also X-XSRF-Header param is not effective and curl calls without
> X-XSRF-Header are also passing through. e.g.
>
> {code:java}
> $ curl -iku admin:admin-password
> https://localhost:8443/gateway/admin/api/v1/version
> HTTP/1.1 200 OK
> Date: Thu, 07 Sep 2017 16:57:27 GMT
> Set-Cookie:
> JSESSIONID=169y7xds1o2ga3mvrbtly6t77;Path=/gateway/admin;Secure;HttpOnly
> Expires: Thu, 01 Jan 1970 00:00:00 GMT
> Set-Cookie: rememberMe=deleteMe; Path=/gateway/admin; Max-Age=0; Expires=Wed,
> 06-Sep-2017 16:57:27 GMT
> Content-Type: application/xml
> Content-Length: 167
> Server: Jetty(9.2.15.v20160210)
>
>
>0.14.0-SNAPSHOT
>6657f2fd9f52c8303fc9a2d1d72eef38be719288
>
> {code}
> Related topology config
> {noformat}
>
> webappsec
> WebAppSec
> true
>
> csrf.enabled
> true
>
>
> csrf.customHeader
> X-XSRF-Header
>
>
> csrf.methodsToIgnore
> GET,OPTIONS,HEAD
>
>
> cors.enabled
> true
>
>
> xframe-options.enabled
> true
>
>
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (KNOX-1028) X-Frame-Options and other security headers are ineffective
[
https://issues.apache.org/jira/browse/KNOX-1028?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16157883#comment-16157883
]
Krishna Pandey commented on KNOX-1028:
--
Thanks [~lmc...@apache.org]. I tested this locally as suggested above and it
works like charm. I am able to see the security Headers in force. Indeed this
is minor error in documentation nothing much.
> X-Frame-Options and other security headers are ineffective
> --
>
> Key: KNOX-1028
> URL: https://issues.apache.org/jira/browse/KNOX-1028
> Project: Apache Knox
> Issue Type: Bug
> Components: Site
>Affects Versions: 0.13.0, 0.14.0
>Reporter: Krishna Pandey
>Priority: Critical
> Fix For: 0.14.0
>
> Attachments: csrf enforcement.png, Screen Shot 2017-09-07 at 10.31.20
> PM.png, with xframe.options.enabled.png
>
>
> When xframe-options.enabled param is set to true in WebAppSec provider, the
> same is not reflecting in HTTP response header. See attached screenshot here.
> !Screen Shot 2017-09-07 at 10.31.20 PM.png|width=70%!.
> Also X-XSRF-Header param is not effective and curl calls without
> X-XSRF-Header are also passing through. e.g.
>
> {code:java}
> $ curl -iku admin:admin-password
> https://localhost:8443/gateway/admin/api/v1/version
> HTTP/1.1 200 OK
> Date: Thu, 07 Sep 2017 16:57:27 GMT
> Set-Cookie:
> JSESSIONID=169y7xds1o2ga3mvrbtly6t77;Path=/gateway/admin;Secure;HttpOnly
> Expires: Thu, 01 Jan 1970 00:00:00 GMT
> Set-Cookie: rememberMe=deleteMe; Path=/gateway/admin; Max-Age=0; Expires=Wed,
> 06-Sep-2017 16:57:27 GMT
> Content-Type: application/xml
> Content-Length: 167
> Server: Jetty(9.2.15.v20160210)
>
>
>0.14.0-SNAPSHOT
>6657f2fd9f52c8303fc9a2d1d72eef38be719288
>
> {code}
> Related topology config
> {noformat}
>
> webappsec
> WebAppSec
> true
>
> csrf.enabled
> true
>
>
> csrf.customHeader
> X-XSRF-Header
>
>
> csrf.methodsToIgnore
> GET,OPTIONS,HEAD
>
>
> cors.enabled
> true
>
>
> xframe-options.enabled
> true
>
>
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (KNOX-1028) X-Frame-Options and other security headers are ineffective
[
https://issues.apache.org/jira/browse/KNOX-1028?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16157754#comment-16157754
]
ASF subversion and git services commented on KNOX-1028:
---
Commit 1807654 from [~lmc...@apache.org]
[ https://svn.apache.org/r1807654 ]
KNOX-1028 - X-Frame-Options and other security headers are ineffective
> X-Frame-Options and other security headers are ineffective
> --
>
> Key: KNOX-1028
> URL: https://issues.apache.org/jira/browse/KNOX-1028
> Project: Apache Knox
> Issue Type: Bug
> Components: Site
>Affects Versions: 0.13.0, 0.14.0
>Reporter: Krishna Pandey
>Priority: Critical
> Fix For: 0.14.0
>
> Attachments: csrf enforcement.png, Screen Shot 2017-09-07 at 10.31.20
> PM.png, with xframe.options.enabled.png
>
>
> When xframe-options.enabled param is set to true in WebAppSec provider, the
> same is not reflecting in HTTP response header. See attached screenshot here.
> !Screen Shot 2017-09-07 at 10.31.20 PM.png|width=70%!.
> Also X-XSRF-Header param is not effective and curl calls without
> X-XSRF-Header are also passing through. e.g.
>
> {code:java}
> $ curl -iku admin:admin-password
> https://localhost:8443/gateway/admin/api/v1/version
> HTTP/1.1 200 OK
> Date: Thu, 07 Sep 2017 16:57:27 GMT
> Set-Cookie:
> JSESSIONID=169y7xds1o2ga3mvrbtly6t77;Path=/gateway/admin;Secure;HttpOnly
> Expires: Thu, 01 Jan 1970 00:00:00 GMT
> Set-Cookie: rememberMe=deleteMe; Path=/gateway/admin; Max-Age=0; Expires=Wed,
> 06-Sep-2017 16:57:27 GMT
> Content-Type: application/xml
> Content-Length: 167
> Server: Jetty(9.2.15.v20160210)
>
>
>0.14.0-SNAPSHOT
>6657f2fd9f52c8303fc9a2d1d72eef38be719288
>
> {code}
> Related topology config
> {noformat}
>
> webappsec
> WebAppSec
> true
>
> csrf.enabled
> true
>
>
> csrf.customHeader
> X-XSRF-Header
>
>
> csrf.methodsToIgnore
> GET,OPTIONS,HEAD
>
>
> cors.enabled
> true
>
>
> xframe-options.enabled
> true
>
>
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (KNOX-1028) X-Frame-Options and other security headers are ineffective
[
https://issues.apache.org/jira/browse/KNOX-1028?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16157758#comment-16157758
]
Larry McCay commented on KNOX-1028:
---
Updated docs for the proper param names.
> X-Frame-Options and other security headers are ineffective
> --
>
> Key: KNOX-1028
> URL: https://issues.apache.org/jira/browse/KNOX-1028
> Project: Apache Knox
> Issue Type: Bug
> Components: Site
>Affects Versions: 0.13.0, 0.14.0
>Reporter: Krishna Pandey
>Priority: Critical
> Fix For: 0.14.0
>
> Attachments: csrf enforcement.png, Screen Shot 2017-09-07 at 10.31.20
> PM.png, with xframe.options.enabled.png
>
>
> When xframe-options.enabled param is set to true in WebAppSec provider, the
> same is not reflecting in HTTP response header. See attached screenshot here.
> !Screen Shot 2017-09-07 at 10.31.20 PM.png|width=70%!.
> Also X-XSRF-Header param is not effective and curl calls without
> X-XSRF-Header are also passing through. e.g.
>
> {code:java}
> $ curl -iku admin:admin-password
> https://localhost:8443/gateway/admin/api/v1/version
> HTTP/1.1 200 OK
> Date: Thu, 07 Sep 2017 16:57:27 GMT
> Set-Cookie:
> JSESSIONID=169y7xds1o2ga3mvrbtly6t77;Path=/gateway/admin;Secure;HttpOnly
> Expires: Thu, 01 Jan 1970 00:00:00 GMT
> Set-Cookie: rememberMe=deleteMe; Path=/gateway/admin; Max-Age=0; Expires=Wed,
> 06-Sep-2017 16:57:27 GMT
> Content-Type: application/xml
> Content-Length: 167
> Server: Jetty(9.2.15.v20160210)
>
>
>0.14.0-SNAPSHOT
>6657f2fd9f52c8303fc9a2d1d72eef38be719288
>
> {code}
> Related topology config
> {noformat}
>
> webappsec
> WebAppSec
> true
>
> csrf.enabled
> true
>
>
> csrf.customHeader
> X-XSRF-Header
>
>
> csrf.methodsToIgnore
> GET,OPTIONS,HEAD
>
>
> cors.enabled
> true
>
>
> xframe-options.enabled
> true
>
>
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
