Details

    • Type: Sub-task
    • Status: In Progress
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: Trunk
    • Fix Version/s: Upcoming Release
    • Component/s: framework
    • Labels:
      None
    • Sprint:
      Bug Crush Event - 21/2/2015

      Issue Links

        Activity

        Hide
        jacques.le.roux Jacques Le Roux added a comment - - edited

        1st commit at r1719660: X-Frame-Options and Strict-Transport-Security

        Show
        jacques.le.roux Jacques Le Roux added a comment - - edited 1st commit at r1719660: X-Frame-Options and Strict-Transport-Security
        Hide
        jacques.le.roux Jacques Le Roux added a comment - - edited

        2nd commit at r1719682+1719683: X-Content-Type-Options

        Show
        jacques.le.roux Jacques Le Roux added a comment - - edited 2nd commit at r1719682+1719683: X-Content-Type-Options
        Hide
        jacques.le.roux Jacques Le Roux added a comment - - edited

        3rd step at r1719684: X-Powered-By

        Show
        jacques.le.roux Jacques Le Roux added a comment - - edited 3rd step at r1719684: X-Powered-By
        Hide
        jacques.le.roux Jacques Le Roux added a comment - - edited

        4th step at r1719762: setCookie (setSecure(true) and setHttpOnly(true))

        Show
        jacques.le.roux Jacques Le Roux added a comment - - edited 4th step at r1719762: setCookie (setSecure(true) and setHttpOnly(true))
        Hide
        jacques.le.roux Jacques Le Roux added a comment -

        I reverted r1719762 at r1719764 because of OFBIZ-6655

        Show
        jacques.le.roux Jacques Le Roux added a comment - I reverted r1719762 at r1719764 because of OFBIZ-6655
        Hide
        jacques.le.roux Jacques Le Roux added a comment - - edited

        The work on Set-Cookie will be done with OFBIZ-6655

        Show
        jacques.le.roux Jacques Le Roux added a comment - - edited The work on Set-Cookie will be done with OFBIZ-6655
        Hide
        jacques.le.roux Jacques Le Roux added a comment -

        While working on a mean to introduce X-XSS-Protection in OFBiz I stumbled upon this exchange between Jacopo and Mark Thomas about HttpHeaderSecurityFilter on the Tomcat users ML. Jacopo Cappellato I did not find any progress, do you have something working on your side?

        BTW AFAIK, unlike the <cookie-config> and <tracking-mode> <session-config> attributes (see OFBIZ-6655), the HttpHeaderSecurityFilter is Tomcat specific (started at 7.0.63). So I believe is nice to have but not sufficient. Though we are not providing means to use another app server, users could have their own ways and then I don't think HttpHeaderSecurityFilter would be used.

        In the same spirit, I think we should also embed the RestCsrfPreventionFilter and maybe CORS Filter and even maybe others there (Expires Filter, etc.)

        Show
        jacques.le.roux Jacques Le Roux added a comment - While working on a mean to introduce X-XSS-Protection in OFBiz I stumbled upon this exchange between Jacopo and Mark Thomas about HttpHeaderSecurityFilter on the Tomcat users ML . Jacopo Cappellato I did not find any progress, do you have something working on your side? BTW AFAIK, unlike the <cookie-config> and <tracking-mode> <session-config> attributes (see OFBIZ-6655 ), the HttpHeaderSecurityFilter is Tomcat specific (started at 7.0.63). So I believe is nice to have but not sufficient. Though we are not providing means to use another app server, users could have their own ways and then I don't think HttpHeaderSecurityFilter would be used. In the same spirit, I think we should also embed the RestCsrfPreventionFilter and maybe CORS Filter and even maybe others there (Expires Filter, etc.)
        Hide
        jacques.le.roux Jacques Le Roux added a comment -

        Actually I put back r1719762, see why at OFBIZ-6655 (still WIP)

        Show
        jacques.le.roux Jacques Le Roux added a comment - Actually I put back r1719762, see why at OFBIZ-6655 (still WIP)
        Hide
        fbr@14x.net Forrest Rae added a comment -

        Jacques,

        In the spirit of secure by default I'd like to throw my vote in for HttpHeaderSecurityFilter being enabled by default moving forward.

        hstsEnabled is an absolute must, do this over the other two. A work around if you leverage the mod_ajpproxy setup of Apache server in front of Tomcat, there is a really awesome Apache config found in the Better Crypto Guide that enables HSTS here: https://bettercrypto.org

        blockContentTypeSniffingEnabled would really help in situations where file uploads are replayed back to another user's web browser to prevent arbitrary HTML and JavaScript being executed in the SAMEORIGIN. More info: http://security.stackexchange.com/questions/12896/does-x-content-type-options-really-prevent-content-sniffing-attacks

        Clickjacking can be more severe than you think, and any counter measures you can provide would be great for users.

        Show
        fbr@14x.net Forrest Rae added a comment - Jacques, In the spirit of secure by default I'd like to throw my vote in for HttpHeaderSecurityFilter being enabled by default moving forward. hstsEnabled is an absolute must, do this over the other two. A work around if you leverage the mod_ajpproxy setup of Apache server in front of Tomcat, there is a really awesome Apache config found in the Better Crypto Guide that enables HSTS here: https://bettercrypto.org blockContentTypeSniffingEnabled would really help in situations where file uploads are replayed back to another user's web browser to prevent arbitrary HTML and JavaScript being executed in the SAMEORIGIN. More info: http://security.stackexchange.com/questions/12896/does-x-content-type-options-really-prevent-content-sniffing-attacks Clickjacking can be more severe than you think, and any counter measures you can provide would be great for users.
        Hide
        fbr@14x.net Forrest Rae added a comment -

        Also, definitely enable support for CORS, there is a great write-up here: https://scotthelme.co.uk/content-security-policy-an-introduction/

        Show
        fbr@14x.net Forrest Rae added a comment - Also, definitely enable support for CORS, there is a great write-up here: https://scotthelme.co.uk/content-security-policy-an-introduction/
        Hide
        fbr@14x.net Forrest Rae added a comment -

        One more thing, are any of these going to be backported?

        Show
        fbr@14x.net Forrest Rae added a comment - One more thing, are any of these going to be backported?
        Hide
        fbr@14x.net Forrest Rae added a comment -

        Two useful sites besides CheckYourHeaders:

        https://securityheaders.io/
        https://report-uri.io/

        Show
        fbr@14x.net Forrest Rae added a comment - Two useful sites besides CheckYourHeaders: https://securityheaders.io/ https://report-uri.io/
        Hide
        jacques.le.roux Jacques Le Roux added a comment - - edited

        I had a try at using HttpHeaderSecurityFilter and I must say I'm a bit dissapointed. Because like it's said at https://tomcat.apache.org/tomcat-7.0-doc/security-howto.html#web.xml you can't have both your own way and HttpHeaderSecurityFilter: <<HttpHeaderSecurityFilter can be used to add headers to responses to improve security. If clients access Tomcat directly, then you probably want to enable this filter and all the headers it sets unless your application is already setting them.>>.

        Since, in RequestHandler class, I already covered all the points HttpHeaderSecurityFilter does (strict-transport-security, x-frame-options and x-content-type-options) there is not much interest in using it. It could even be counterproductive with duplicate or conflictings values. Moreover it does not handle X-XSS-Protection which is a breeze to set in RequestHandler. Finally doing so in RequestHandler has the advantage of not depending on Tomcat and cover not only OOTB web apps but any possible new ones.

        I had also a go with RestCsrfPreventionFilter, same dissapointement. It's hard to set as explained at https://www.mail-archive.com/users@tomcat.apache.org/msg88601.html. I gave up at this stage, on other filters as well... That does not mean they should not be considered in a custom project...

        Anyway all in all I prefer to handle security point by point rather than having a false sense of security relying on filters or what-not.

        Show
        jacques.le.roux Jacques Le Roux added a comment - - edited I had a try at using HttpHeaderSecurityFilter and I must say I'm a bit dissapointed. Because like it's said at https://tomcat.apache.org/tomcat-7.0-doc/security-howto.html#web.xml you can't have both your own way and HttpHeaderSecurityFilter: <<HttpHeaderSecurityFilter can be used to add headers to responses to improve security. If clients access Tomcat directly, then you probably want to enable this filter and all the headers it sets unless your application is already setting them.>>. Since, in RequestHandler class, I already covered all the points HttpHeaderSecurityFilter does (strict-transport-security, x-frame-options and x-content-type-options) there is not much interest in using it. It could even be counterproductive with duplicate or conflictings values. Moreover it does not handle X-XSS-Protection which is a breeze to set in RequestHandler. Finally doing so in RequestHandler has the advantage of not depending on Tomcat and cover not only OOTB web apps but any possible new ones. I had also a go with RestCsrfPreventionFilter, same dissapointement. It's hard to set as explained at https://www.mail-archive.com/users@tomcat.apache.org/msg88601.html . I gave up at this stage, on other filters as well... That does not mean they should not be considered in a custom project... Anyway all in all I prefer to handle security point by point rather than having a false sense of security relying on filters or what-not.
        Hide
        jacques.le.roux Jacques Le Roux added a comment -

        Hi Forrest, seems that we cross-posted, please read my conclusion in above comment. Did you follow my WIP at https://cwiki.apache.org/confluence/display/OFBIZ/Keeping+OFBiz+secure ?

        Show
        jacques.le.roux Jacques Le Roux added a comment - Hi Forrest, seems that we cross-posted, please read my conclusion in above comment. Did you follow my WIP at https://cwiki.apache.org/confluence/display/OFBIZ/Keeping+OFBiz+secure ?
        Hide
        jacques.le.roux Jacques Le Roux added a comment -

        4th step at r1720213: X-XSS-Protection

        Show
        jacques.le.roux Jacques Le Roux added a comment - 4th step at r1720213: X-XSS-Protection
        Hide
        fbr@14x.net Forrest Rae added a comment -

        Jacques, apologies for the questions if they weren't applicable, I didn't have any background info. I thought you were suggesting not enabling protections, but I see you're accomplishing it in another manner.

        Can you link me to RequestHandler? I've not seen any info on it.

        Show
        fbr@14x.net Forrest Rae added a comment - Jacques, apologies for the questions if they weren't applicable, I didn't have any background info. I thought you were suggesting not enabling protections, but I see you're accomplishing it in another manner. Can you link me to RequestHandler? I've not seen any info on it.
        Hide
        jacques.le.roux Jacques Le Roux added a comment -

        Thanks, I will check that

        Show
        jacques.le.roux Jacques Le Roux added a comment - Thanks, I will check that
        Hide
        jacques.le.roux Jacques Le Roux added a comment -

        I'm not sure yet

        Show
        jacques.le.roux Jacques Le Roux added a comment - I'm not sure yet
        Hide
        jacques.le.roux Jacques Le Roux added a comment -

        As I said in my conclusion, I think this and others filters are more to be used in custom projects. They are hard to set OOTB and would certainly need to be tweaked in custom projects anyway. Of course, as ever, contribution are welcome

        Show
        jacques.le.roux Jacques Le Roux added a comment - As I said in my conclusion, I think this and others filters are more to be used in custom projects. They are hard to set OOTB and would certainly need to be tweaked in custom projects anyway. Of course, as ever, contribution are welcome
        Hide
        jacopoc Jacopo Cappellato added a comment -
        Show
        jacopoc Jacopo Cappellato added a comment - For your information: https://bz.apache.org/bugzilla/show_bug.cgi?id=58735
        Hide
        jacques.le.roux Jacques Le Roux added a comment - - edited

        strict-transport-security (hst header) was done with r1719660 and "blockContentTypeSniffingEnabled" (aka "x-content-type-options", "nosniff") was already done with r1719939 (sorry it's maybe hard to follow the commits flow because I have to test different strategies)

        BTW, this is a WIP, I know there are still some weak parts I don't want to disclose, please be patient

        Show
        jacques.le.roux Jacques Le Roux added a comment - - edited strict-transport-security (hst header) was done with r1719660 and "blockContentTypeSniffingEnabled" (aka "x-content-type-options", "nosniff") was already done with r1719939 (sorry it's maybe hard to follow the commits flow because I have to test different strategies) BTW, this is a WIP, I know there are still some weak parts I don't want to disclose, please be patient
        Hide
        jacques.le.roux Jacques Le Roux added a comment -

        I put some reference above (and now below), you can follow commits in this issue. Just look for instance at http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java?r1=1720213&r2=1720212&pathrev=1720213

        Show
        jacques.le.roux Jacques Le Roux added a comment - I put some reference above (and now below), you can follow commits in this issue. Just look for instance at http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java?r1=1720213&r2=1720212&pathrev=1720213
        Hide
        jacques.le.roux Jacques Le Roux added a comment -

        Thanks Jacopo, quite new

        Show
        jacques.le.roux Jacques Le Roux added a comment - Thanks Jacopo, quite new
        Hide
        jacques.le.roux Jacques Le Roux added a comment -
        Show
        jacques.le.roux Jacques Le Roux added a comment - If you want to see it all use "View" on trunk HEAD at http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
        Hide
        jacques.le.roux Jacques Le Roux added a comment -

        At r1812609 I added

        • the no-referrer-when-downgrade Referrer-Policy
        • a comment about Public-Key-Pins-Report-Only
        • a link to the related wiki page

        This is my prior to last commit, before implementing a CSP policy which is quite the stuff! Check by yourself at https://csp.withgoogle.com/docs/adopting-csp.html

        Show
        jacques.le.roux Jacques Le Roux added a comment - At r1812609 I added the no-referrer-when-downgrade Referrer-Policy a comment about Public-Key-Pins-Report-Only a link to the related wiki page This is my prior to last commit, before implementing a CSP policy which is quite the stuff! Check by yourself at https://csp.withgoogle.com/docs/adopting-csp.html
        Hide
        jacques.le.roux Jacques Le Roux added a comment -

        At r1812623 I reverted r1812540 ("Set-Cookie", "SameSite=strict") that I also forgot to report here.
        It does not fit with OFBiz which then asks you to login on any action, even when using "Set-Cookie", "SameSite=lax"

        Show
        jacques.le.roux Jacques Le Roux added a comment - At r1812623 I reverted r1812540 ("Set-Cookie", "SameSite=strict") that I also forgot to report here. It does not fit with OFBiz which then asks you to login on any action, even when using "Set-Cookie", "SameSite=lax"
        Hide
        jacques.le.roux Jacques Le Roux added a comment -

        At r1812720 I have added a Content Security Policy

        To not block anything for the moment I have committed a simple most restrictive Content-Security-Policy-Report-Only header

        Then we can look at the issues using browsers tools (there are so much)
        The next step is to report the errors (when there will not be too much) in the log using a report-uri
        And ultimately to use OOTB the most simple and constraining policy, with exceptions of course (as ever).
        If we encounter performance issue we can comment out the current Content-Security-Policy-Report-Only

        Show
        jacques.le.roux Jacques Le Roux added a comment - At r1812720 I have added a Content Security Policy To not block anything for the moment I have committed a simple most restrictive Content-Security-Policy-Report-Only header Then we can look at the issues using browsers tools (there are so much) The next step is to report the errors (when there will not be too much) in the log using a report-uri And ultimately to use OOTB the most simple and constraining policy, with exceptions of course (as ever). If we encounter performance issue we can comment out the current Content-Security-Policy-Report-Only

          People

          • Assignee:
            jacques.le.roux Jacques Le Roux
            Reporter:
            jacques.le.roux Jacques Le Roux
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:

              Development

                Agile