Krishna Pandey created KNOX-1028:
------------------------------------
Summary: X-Frame-Options and other security headers are ineffective
Key: KNOX-1028
URL: https://issues.apache.org/jira/browse/KNOX-1028
Project: Apache Knox
Issue Type: Bug
Components: Server
Affects Versions: 0.13.0, 0.14.0
Reporter: Krishna Pandey
Priority: Critical
Attachments: Screen Shot 2017-09-07 at 10.31.20 PM.png
When xframe-options.enabled param is set to true in WebAppSec provider, the
same is not reflecting in HTTP response header. See attached screenshot here
!Screen Shot 2017-09-07 at 10.31.20 PM.png|thumbnail! . Also X-XSRF-Header
param is not effective and curl calls without X-XSRF-Header are also passing
through. e.g.
{code:java}
$ curl -iku admin:admin-password
https://localhost:8443/gateway/admin/api/v1/version
HTTP/1.1 200 OK
Date: Thu, 07 Sep 2017 16:57:27 GMT
Set-Cookie:
JSESSIONID=169y7xds1o2ga3mvrbtly6t77;Path=/gateway/admin;Secure;HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: rememberMe=deleteMe; Path=/gateway/admin; Max-Age=0; Expires=Wed,
06-Sep-2017 16:57:27 GMT
Content-Type: application/xml
Content-Length: 167
Server: Jetty(9.2.15.v20160210)
<?xml version="1.0" encoding="UTF-8"?>
<ServerVersion>
<version>0.14.0-SNAPSHOT</version>
<hash>6657f2fd9f52c8303fc9a2d1d72eef38be719288</hash>
</ServerVersion>
{code}
Related topology config
{noformat}
<provider>
<role>webappsec</role>
<name>WebAppSec</name>
<enabled>true</enabled>
<param>
<name>csrf.enabled</name>
<value>true</value>
</param>
<param>
<name>csrf.customHeader</name>
<value>X-XSRF-Header</value>
</param>
<param>
<name>csrf.methodsToIgnore</name>
<value>GET,OPTIONS,HEAD</value>
</param>
<param>
<name>cors.enabled</name>
<value>true</value>
</param>
<param>
<name>xframe-options.enabled</name>
<value>true</value>
</param>
</provider>
{noformat}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
