http potential vulnerability #463
Comments
|
Can the second issue, related to X-frame be fixed by adding the line Header always set X-Frame-Options "SAMEORIGIN" to httpd.conf. Raul |
|
For the X-Frame thing we are aware of this, we can't change this without breaking MaDDash and the graphs. This is one reason of many of why MaDDash and the graphs are going away in next release. We can look into the HSTS thing and if it makes sense in all cases. It's probably safe to do...and i feel like we looked at before? Just need to make sure it doesn't break anything. As you have noted, users have the ability to adjust the configuration to whatever their requirements may be. |
|
I've applied fixes to Jisc London and Jisc Slough. My limited security skills say the fixes work. I am waiting for the QMUL pen tester. Please feel free to poke any of the Jisc hosts |
|
The other thing we could do is add some comments in the documentation about such settings. Perhaps an additional section on this page? https://www.perfsonar.net/deployment_security.html |
QMUL have just contacted Jisc about two potential vulnerabilities in the perfSONAR toolkit web page.
(0) The toolkit Does Not Implement HSTS Best Practices Not implementing HTTP Strict Transport Security (HSTS)
I believe this casn be easily fixed by adding to the file apache-toolkit_web_gui-le-ssl.conf the line
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
I have done it for ps-slough-lat.ja.net.
Can some security wizzard check/amend?
(1) Site Does Not Use Best Practices Against Embedding of Malicious Content Not using X-Frame-Options means greater vulnerability to clickjacking attacks.
I am puzzling on that.
Raul
The text was updated successfully, but these errors were encountered: