You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "Larry McCay (JIRA)" <ji...@apache.org> on 2017/09/07 21:54:00 UTC

[jira] [Commented] (KNOX-1028) X-Frame-Options and other security headers are ineffective

    [ https://issues.apache.org/jira/browse/KNOX-1028?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16157727#comment-16157727 ] 

Larry McCay commented on KNOX-1028:
-----------------------------------

Turns out there are a couple things going on here:

1. X-Frame-Options enablement property should actually be xframe.options.enabled instead of xframe-options.enabled. When using the proper property name the header is sent as expected. See screen shot.
!with xframe.options.enabled.png!

2. GET methods are configured to be ignored for CSRF - and rightly so. If you change the methodsToIgnore property the enforcement can be seen. See this screen shot.
!csrf enforcement.png!

> X-Frame-Options and other security headers are ineffective
> ----------------------------------------------------------
>
>                 Key: KNOX-1028
>                 URL: https://issues.apache.org/jira/browse/KNOX-1028
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: Server
>    Affects Versions: 0.13.0, 0.14.0
>            Reporter: Krishna Pandey
>            Priority: Critical
>             Fix For: 0.14.0
>
>         Attachments: csrf enforcement.png, Screen Shot 2017-09-07 at 10.31.20 PM.png, with xframe.options.enabled.png
>
>
> When xframe-options.enabled param is set to true in WebAppSec provider, the same is not reflecting in HTTP response header. See attached screenshot here.
>  !Screen Shot 2017-09-07 at 10.31.20 PM.png|width=70%!. 
> Also X-XSRF-Header param is not effective and curl calls without X-XSRF-Header are also passing through. e.g.
>  
> {code:java}
> $ curl -iku admin:admin-password https://localhost:8443/gateway/admin/api/v1/version
> HTTP/1.1 200 OK
> Date: Thu, 07 Sep 2017 16:57:27 GMT
> Set-Cookie: JSESSIONID=169y7xds1o2ga3mvrbtly6t77;Path=/gateway/admin;Secure;HttpOnly
> Expires: Thu, 01 Jan 1970 00:00:00 GMT
> Set-Cookie: rememberMe=deleteMe; Path=/gateway/admin; Max-Age=0; Expires=Wed, 06-Sep-2017 16:57:27 GMT
> Content-Type: application/xml
> Content-Length: 167
> Server: Jetty(9.2.15.v20160210)
> <?xml version="1.0" encoding="UTF-8"?>
> <ServerVersion>
>    <version>0.14.0-SNAPSHOT</version>
>    <hash>6657f2fd9f52c8303fc9a2d1d72eef38be719288</hash>
> </ServerVersion>
> {code}
> Related topology config
> {noformat}
> 		<provider>
> 			<role>webappsec</role>
> 			<name>WebAppSec</name>
> 			<enabled>true</enabled>
> 			<param>
> 				<name>csrf.enabled</name>
> 				<value>true</value>
> 			</param>
> 			<param>
> 				<name>csrf.customHeader</name>
> 				<value>X-XSRF-Header</value>
> 			</param>
> 			<param>
> 				<name>csrf.methodsToIgnore</name>
> 				<value>GET,OPTIONS,HEAD</value>
> 			</param>
> 			<param>
> 				<name>cors.enabled</name>
> 				<value>true</value>
> 			</param>
> 			<param>
> 				<name>xframe-options.enabled</name>
> 				<value>true</value>
> 			</param>
> 		</provider>
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)