Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-18651

Add security http response headers and restrict access to error pages heap dump and stack traces

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 7.10
    • Fix Version/s: 7.10-HF07, 8.2
    • Component/s: Security / Rights
    • Tags:
    • Upgrade notes:
      Hide

      By default the traces are hidden in error pages of Nuxeo. In order to activate the traces display in error pages of Nuxeo, the dev mode has to be set (org.nuxeo.dev in nuxeo.conf or in the admin center.)

      Show
      By default the traces are hidden in error pages of Nuxeo. In order to activate the traces display in error pages of Nuxeo, the dev mode has to be set (org.nuxeo.dev in nuxeo.conf or in the admin center.)

      Description

      Two points:

      • As a dev, I would like to configure by default Nuxeo server with the appropriate headers to avoid XSS attacks or other security flaws:
      <component name="org.nuxeo.headers.contrib">
  <extension
      target="org.nuxeo.ecm.platform.web.common.requestcontroller.service.RequestControllerService"
          point="responseHeaders">
    <header name="Cache-Control">no-cache</header>
    <header name="Pragma">no-cache</header>
    <header name="X-Content-Type-Options">nosniff</header>
    <header name="X-XSS-Protection">1; mode=block</header>
  </extension>
</component>
      • And restrict stack traces and heap dump display in error pages in error_page.jsp


      By default the traces are hidden in error pages of Nuxeo, for security reasons. In order to activate the traces display in error pages of Nuxeo, the dev mode has to be set (org.nuxeo.dev in nuxeo.conf or in the admin center.)

        Attachments

          Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. NXP-25100 Fix JSF performance issue due to lack of cache on browser side

          • Major - Major loss of function.
          • Resolved
          is required by

          Bug - A problem which impairs or prevents the functions of the product. NXP-20344 Deactivate no-cache header on resources but only on pages

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Clean up - NXP-19145 Align nuxeo salesforce plugin on last security adding

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: