Access to add and change pages is restricted. See: https://cwiki.apache.org/confluence/display/OFBIZ/Wiki+access

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Next »

The main tools I (Jacques Le Roux) recommend is https://cyh.herokuapp.com/cyh

 

You can also find very good information at https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers/ and more limited at https://www.owasp.org/index.php/List_of_useful_HTTP_headers

 

Here is the state we had (2015-12-12):

Here are some links for each header:

Global reference notably are

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

https://en.wikipedia.org/wiki/List_of_HTTP_header_fields

X-Frame-Options

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#X-Frame-Options_Header_Types

https://www.owasp.org/index.php/Clickjacking

https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options (interesting for devops, tells about Apache, Nginx and HAProxy)

Strict-Transport-Security

https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

https://www.owasp.org/index.php/HTTP_Strict_Transport_Security

https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html (for devops)

About the preload issue if you really care: https://hstspreload.appspot.com/

X-Content-Type-Options

According to Wikipedia and Owasp, the only defined value, "nosniff", prevents Internet Explorer from MIME-sniffing a response away from the declared content-type. This also applies to Google Chrome, when downloading extensions.

X-Powered-By

It's recommended to not use the X-Powered-By header.

Tomcat documentation: <<The xpoweredBy attribute controls whether or not the X-Powered-By HTTP header is sent with each request. If sent, the value of the header contains the Servlet and JSP specification versions, the full Tomcat version (e.g. Apache Tomcat/7.0.0), the name of the JVM vendor and the version of the JVM. This header is disabled by default. This header can provide useful information to both legitimate clients and attackers.>>

OFBiz users can decide to change this parameter if they want

 

  • No labels