HTTP security headers not detected

cancel
Showing results for 
Search instead for 
Did you mean: 
Mohammadsherani
Member II

HTTP security headers not detected

Hi All,

We are using ACS 5.2.6 with windows os.

 

We have recieved the security vulnerability titled:- HTTP security headers not detected.

And for the same we have two solution:-

 

 

 1. Security filters and clickjacking mitigation

You can configure a security filter, SecurityHeadersPolicy, that mitigates clickjacking attacks in Alfresco Share.

SecurityHeadersPolicy is a Java Servlet filter that applies HTTP response headers to incoming requests in Share. The headers that are returned are defined in a configuration section called SecurityHeadersPolicy in alfresco-security-config.xml.

Three headers are added by default; X-Frame-Options, X-Content-Type-Options and X-XSS-Protection:
<config evaluator="string-compare" condition="SecurityHeadersPolicy">
  <headers>
    <header>
      <name>X-Frame-Options</name>
      <value>SAMEORIGIN</value>
    </header>
    <header>
      <name>X-Content-Type-Options</name>
      <value>nosniff</value>
    </header>
    <header>
      <name>X-XSS-Protection</name>
      <value>1; mode=block</value>
    </header>
  </headers>
</config>

 

   2.  X-Frame-Options header

Adding this header to an HTTP response tells the browser whether Share pages are permitted inside iframes. In our default configuration we have set this to SAMEORIGIN which means that Share pages are only permitted inside iFrames inside Share or in other web applications that live under the same domain. 

You can override the configuration and set the header to return DENY instead, by placing the following configuration in your share-config-custom.xml file:
<config evaluator="string-compare" condition="SecurityHeadersPolicy">
  <headers>
    <header>
      <name>X-Frame-Options</name>
      <value>DENY</value>
    </header>
  </headers>
</config>
 

Can any one suggest which one will be the perfect solution for the same.

Currently we are planning to go with solution no 2(X-Frame-Options header)

 

1 Reply
EddieMay
Alfresco Employee

Re: HTTP security headers not detected

Hi @Mohammadsherani,

As I customer I advise you to raise a ticket through the customer support portal.

HTH, 

Digital Community Manager, Alfresco Software.
Problem solved? Click Accept as Solution!