WebServer Security hardening

Desktop Connect On-premise deployment comes with a default web server setup, if Desktop Connect is published on the public domain it is recommended that you enable the following HTTP Response headers for security hardening measures:

  • Enable HTTP Strict Transport Security
  • Block content type sniffing
  • Avoid cross-site scripting attacks
  • Clickjacking prevention

The above can be achived by enabling security filters on the webserver or load balancer.

Tomcat provides a number of Filters which may be configured for use with all web applications using $CATALINA_BASE/conf/web.xml or may be configured for individual web applications by configuring them in the application's WEB-INF/web.xml.

Enable HTTP header security filtering

  <!-- The mapping for the HTTP header security Filter -->

    <filter-mapping>
        <filter-name>httpHeaderSecurity</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
    </filter-mapping>
Note

Detailed information on Tomcat filter options can be found in the official Tomcat documentation

Enable HTTP Strict Transport Security

To enable HTTP Strict Transport Security, you need to change the security filters on the default Tomcat web.xml file, adding the following directives

  • hstsEnabled : Will an HTTP Strict Transport Security (HSTS) header (Strict-Transport-Security) be set on the response for secure requests. Any HSTS header already present will be replaced. See RFC 6797 for further details of HSTS. If not specified, the default value of true will be used.
  • hstsMaxAgeSeconds : The max age value that should be used in the HSTS header. Negative values will be treated as zero. If not specified, the default value of 0 will be used.
  • hstsIncludeSubDomains : Should the includeSubDomains parameter be included in the HSTS header. If not specified, the default value of false will be used.
  • hstsPreload : Should the preload parameter be included in the HSTS header. If not specified, the default value of false will be used. See https://hstspreload.org for important information about this parameter.
<filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <init-param>
            <param-name>hstsEnabled</param-name>
            <param-value>true</param-value>
        </init-param>
        <init-param>
            <param-name>hstsMaxAgeSeconds</param-name>
            <param-value>31536000</param-value>
        </init-param>
        <init-param>
            <param-name>hstsIncludeSubDomains</param-name>
            <param-value>true</param-value>
        </init-param>
        <async-supported>true</async-supported>
    </filter>

Block content type sniffing

To enable content type sniffing blocking , you need to change the security filters on the default Tomcat web.xml file, adding the following directives

  • blockContentTypeSniffingEnabled : Should the header that blocks content type sniffing (X-Content-Type-Options) be set on every response. If already present, the header will be replaced. If not specified, the default value of true will be used.
    <filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <init-param>
            <param-name>blockContentTypeSniffingEnabled</param-name>
            <param-value>true</param-value>
        </init-param>
        <async-supported>true</async-supported>
    </filter>

Avoid cross-site scripting attacks

To avoid cross-site scripting attacks, you need to change the security filters on the default Tomcat web.xml file, adding the following directives

  • xssProtectionEnabled : Should the header that enables the browser's cross-site scripting filter protection (X-XSS-Protection: 1; mode=block) be set on every response. If already present, the header will be replaced. If not specified, the default value of true will be used.
    <filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <init-param>
            <param-name>xssProtectionEnabled</param-name>
            <param-value>true</param-value>
        </init-param>
        <async-supported>true</async-supported>
    </filter>

Clickjacking prevention

Anti ClickJacking controls where the application can be embedded, as Desktop Connect is embedded into a bespoke application or standard CRM like Salesforce/Microsoft Dynamics or Service-Now. The available options for antiClickJacking do not apply.

  • SAMEORIGIN - would only enable to serve the Desktop Connect if the embedding application is on the same location / same FQDN
  • ALLOW-FROM uri - is a directive that is OBSOLETE and disregarded by all web browsers suppported by Desktop Connect.

An Alternative solution for X-FRAME-OPTIONS HTTP header is the Content-Security-Policy frame-ancestors directive that can be set on IIS, NGNIX or Apache webservers but not on Tomcat.

If antiClickJacking prevention needs to be added then it is highly recommended to enable this on the load balancer (or add a loadbalancer) that is able to set the CSP header.

Note

More information on Content-Security-Policy frame-ancestors directive can be found here

Sorry, your browser does not support inline SVG. article updatedarticle updated6/23/2020 9:06:57 AM (UTC)6/23/2020 9:06:57 AM (UTC)