You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "Krishna Pandey (JIRA)" <ji...@apache.org> on 2017/09/07 17:05:01 UTC

[jira] [Created] (KNOX-1028) X-Frame-Options and other security headers are ineffective

Krishna Pandey created KNOX-1028:
------------------------------------

             Summary: X-Frame-Options and other security headers are ineffective
                 Key: KNOX-1028
                 URL: https://issues.apache.org/jira/browse/KNOX-1028
             Project: Apache Knox
          Issue Type: Bug
          Components: Server
    Affects Versions: 0.13.0, 0.14.0
            Reporter: Krishna Pandey
            Priority: Critical
         Attachments: Screen Shot 2017-09-07 at 10.31.20 PM.png

When xframe-options.enabled param is set to true in WebAppSec provider, the same is not reflecting in HTTP response header. See attached screenshot here !Screen Shot 2017-09-07 at 10.31.20 PM.png|thumbnail! . Also X-XSRF-Header param is not effective and curl calls without X-XSRF-Header are also passing through. e.g.
 
{code:java}
$ curl -iku admin:admin-password https://localhost:8443/gateway/admin/api/v1/version
HTTP/1.1 200 OK
Date: Thu, 07 Sep 2017 16:57:27 GMT
Set-Cookie: JSESSIONID=169y7xds1o2ga3mvrbtly6t77;Path=/gateway/admin;Secure;HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: rememberMe=deleteMe; Path=/gateway/admin; Max-Age=0; Expires=Wed, 06-Sep-2017 16:57:27 GMT
Content-Type: application/xml
Content-Length: 167
Server: Jetty(9.2.15.v20160210)

<?xml version="1.0" encoding="UTF-8"?>
<ServerVersion>
   <version>0.14.0-SNAPSHOT</version>
   <hash>6657f2fd9f52c8303fc9a2d1d72eef38be719288</hash>
</ServerVersion>

{code}

Related topology config

{noformat}
		<provider>
			<role>webappsec</role>
			<name>WebAppSec</name>
			<enabled>true</enabled>
			<param>
				<name>csrf.enabled</name>
				<value>true</value>
			</param>
			<param>
				<name>csrf.customHeader</name>
				<value>X-XSRF-Header</value>
			</param>
			<param>
				<name>csrf.methodsToIgnore</name>
				<value>GET,OPTIONS,HEAD</value>
			</param>
			<param>
				<name>cors.enabled</name>
				<value>true</value>
			</param>
			<param>
				<name>xframe-options.enabled</name>
				<value>true</value>
			</param>
		</provider>

{noformat}






--
This message was sent by Atlassian JIRA
(v6.4.14#64029)