Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-18651

Add security http response headers and restrict access to error pages heap dump and stack traces

    Details

    • Type: New Feature
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 7.10
    • Fix Version/s: 7.10-HF07, 8.2
    • Component/s: Security / Rights
    • Upgrade notes:
      Hide

      By default the traces are hidden in error pages of Nuxeo. In order to activate the traces display in error pages of Nuxeo, the dev mode has to be set (org.nuxeo.dev in nuxeo.conf or in the admin center.)

      Show
      By default the traces are hidden in error pages of Nuxeo. In order to activate the traces display in error pages of Nuxeo, the dev mode has to be set (org.nuxeo.dev in nuxeo.conf or in the admin center.)

      Description

      Two points:

      • As a dev, I would like to configure by default Nuxeo server with the appropriate headers to avoid XSS attacks or other security flaws:
      <component name="org.nuxeo.headers.contrib">
        <extension
            target="org.nuxeo.ecm.platform.web.common.requestcontroller.service.RequestControllerService"
                point="responseHeaders">
          <header name="Cache-Control">no-cache</header>
          <header name="Pragma">no-cache</header>
          <header name="X-Content-Type-Options">nosniff</header>
          <header name="X-XSS-Protection">1; mode=block</header>
        </extension>
      </component>
      
      • And restrict stack traces and heap dump display in error pages in error_page.jsp


      By default the traces are hidden in error pages of Nuxeo, for security reasons. In order to activate the traces display in error pages of Nuxeo, the dev mode has to be set (org.nuxeo.dev in nuxeo.conf or in the admin center.)

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  PagerDuty

                  Error rendering 'com.pagerduty.jira-server-plugin:PagerDuty'. Please contact your Jira administrators.