You are not logged in.
Hi,
Is it possible to enable httpHeaderSecurity in headers of tomcat for Report Server ?
I´ve tried to below parameters in /conf/web.xml file, however, the tool still cannot identify the headers properly.
Parameters:
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>hstsEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536000</param-value>
</init-param>
<init-param>
<param-name>hstsIncludeSubDomains</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
======================================================
> shcheck.py - santoru ..............................
------------------------------------------------------
Simple tool to check security headers on a webserver
======================================================
[*] Analyzing headers of
[*] Effective URL:
[!] Missing security header: X-Frame-Options
[!] Missing security header: X-Content-Type-Options
[!] Missing security header: Strict-Transport-Security
[!] Missing security header: Content-Security-PolicyOffline
hi,
This is something that we will investigate in the near future! Expecially the CSP-header.
One quick idea (without testing it ) to hack this into the reportserver was to change the ReportServer.html ...
changing the tomcat configuration is a way I never thought of ... this sounds like a great idea!
kind regards
Felix
Softwareentwickler bei Infofabrik
Offline
Hi,
I´ve tried to hack ReportServer.html, but it didn´t work.
I included this code in ReportServer.html:
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta http-equiv="Strict-Transport-Security" content="max-age=31536000">Interesting to notice is that, when I check the root, the tool doesn´t identify the security headers:
./shcheck.py https://myserver:8443/ -d
======================================================
> shcheck.py - santoru ..............................
------------------------------------------------------
Simple tool to check security headers on a webserver
======================================================
[*] Analyzing headers of https://myserver:8443/
[*] Effective URL: https://myserver:8443/
[!] Missing security header: X-Frame-Options
[!] Missing security header: X-Content-Type-Options
[!] Missing security header: Strict-Transport-Security
[!] Missing security header: Content-Security-Policy
[!] Missing security header: Referrer-Policy
[!] Missing security header: Permissions-Policy
[!] Missing security header: Cross-Origin-Embedder-Policy
[!] Missing security header: Cross-Origin-Resource-Policy
[!] Missing security header: Cross-Origin-Opener-PolicyHowever, when I test the ReportServer.html page directly, the tool identifies the headers:
./shcheck.py https://myserver:8443/ReportServer.html -d
======================================================
> shcheck.py - santoru ..............................
------------------------------------------------------
Simple tool to check security headers on a webserver
======================================================
[*] Analyzing headers of https://myserver:8443/ReportServer.html
[*] Effective URL: https://myserver:8443/ReportServer.html
[*] Header X-XSS-Protection is present! (Value: 1; mode=block)
[*] Header X-Frame-Options is present! (Value: DENY)
[*] Header X-Content-Type-Options is present! (Value: nosniff)
[*] Header Strict-Transport-Security is present! (Value: max-age=31536000;includeSubDomains)
[!] Missing security header: Content-Security-Policy
[!] Missing security header: Referrer-Policy
[!] Missing security header: Permissions-Policy
[!] Missing security header: Cross-Origin-Embedder-Policy
[!] Missing security header: Cross-Origin-Resource-Policy
[!] Missing security header: Cross-Origin-Opener-PolicyOffline
Hi marcioribeiro1979,
what happens when you edit your REPORTSERVER/WAR/WEB-INF/web.xml file directly?
Regards,
Eduardo
Offline
Hi Eduardo,
Our ReportServer is installed in this folder: /local/reportserver-tomcat
I included the following configuration in these 3 files:
/local/reportserver-tomcat/conf/web.xml
/local/reportserver-tomcat/webapps/ROOT/WEB-INF/web.xml
/local/reportserver-tomcat/ReportServer/WEB-INF/web.xml
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>hstsEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536000</param-value>
</init-param>
<init-param>
<param-name>hstsIncludeSubDomains</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>DENY</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>Then, I created a simple test page: /local/reportserver-tomcat/ReportServer/test.html
<html>
<body>
<p>Hello World</p>
</body>
</html>When I test the root folder, I get this result:
./shcheck.py https://myserver:8443 -d
======================================================
> shcheck.py - santoru ..............................
------------------------------------------------------
Simple tool to check security headers on a webserver
======================================================
[*] Analyzing headers of https://myserver:8443
[*] Effective URL: https://myserver:8443
[!] Missing security header: X-Frame-Options
[!] Missing security header: X-Content-Type-Options
[!] Missing security header: Strict-Transport-Security
[!] Missing security header: Content-Security-Policy
[!] Missing security header: Referrer-Policy
[!] Missing security header: Permissions-Policy
[!] Missing security header: Cross-Origin-Embedder-Policy
[!] Missing security header: Cross-Origin-Resource-Policy
[!] Missing security header: Cross-Origin-Opener-Policy
-------------------------------------------------------
[!] Headers analyzed for https://myserver:8443
[+] There are 0 security headers
[-] There are not 9 security headersHowever, when I test the page, it works:
./shcheck.py https://myserver:8443/test.html -d
======================================================
> shcheck.py - santoru ..............................
------------------------------------------------------
Simple tool to check security headers on a webserver
======================================================
[*] Analyzing headers of https://myserver:8443/test.html
[*] Effective URL: https://myserver:8443/test.html
[*] Header X-XSS-Protection is present! (Value: 1; mode=block)
[*] Header X-Frame-Options is present! (Value: DENY)
[*] Header X-Content-Type-Options is present! (Value: nosniff)
[*] Header Strict-Transport-Security is present! (Value: max-age=31536000;includeSubDomains)
[!] Missing security header: Content-Security-Policy
[!] Missing security header: Referrer-Policy
[!] Missing security header: Permissions-Policy
[!] Missing security header: Cross-Origin-Embedder-Policy
[!] Missing security header: Cross-Origin-Resource-Policy
[!] Missing security header: Cross-Origin-Opener-Policy
-------------------------------------------------------
[!] Headers analyzed for https://myserver:8443/test.html
[+] There are 4 security headers
[-] There are not 6 security headersOffline