Announcement

Migration of this forum

Dear users of this forum,

we are pleased to inform you that we will be updating the software behind this forum in the near future.

Existing posts, users and categories will remain untouched.

Important:

  • Each user will need to reset their password.
  • Please select "I forgot my password".
  • Enter the email address you used to register in this forum.
  • You will receive an email with a link to set a new password.
  • Please choose a new (secure) password and confirm the process.

We will keep you informed in the pinned thread.

Kind regards,
Your ReportServer Team

Migration des Forums

Liebe Nutzer dieses Forums,

wir freuen uns, euch mitteilen zu können, dass wir in naher Zukunft die Software hinter diesem Forum aktualisieren werden.

Existierende Beiträge, Nutzer und Kategorien bleiben weiterhin bestehen!

Wichtig:

  • Jeder Nutzer muss sein Passwort neu vergeben.
  • Wählt dazu einfach "Ich habe mein Passwort vergessen".
  • Gebt die E-Mail-Adresse ein, mit der ihr registriert seid.
  • Ihr erhaltet eine E-Mail mit einem Link zur Passwortvergabe.
  • Bitte wählt ein neues (sicheres) Passwort und bestätigt den Vorgang.

Wir halten euch im angepinnten Beitrag auf dem Laufenden!

Mit vielen Grüßen
Euer ReportServer Team

Pages: 1

#1 2024-06-06 12:12:01

marcioribeiro1979
Member
Registered: 2023-04-18

httpHeaderSecurity in Report Server 4.6

Hi,

Is it possible to enable httpHeaderSecurity in headers of tomcat for Report Server ?

I´ve tried to below parameters in /conf/web.xml file, however, the tool still cannot identify the headers properly.

Parameters:

<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>hstsEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536000</param-value>
</init-param>
<init-param>
<param-name>hstsIncludeSubDomains</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>


======================================================
 > shcheck.py - santoru ..............................
------------------------------------------------------
 Simple tool to check security headers on a webserver
======================================================

[*] Analyzing headers of 
[*] Effective URL: 
[!] Missing security header: X-Frame-Options
[!] Missing security header: X-Content-Type-Options
[!] Missing security header: Strict-Transport-Security
[!] Missing security header: Content-Security-Policy

Offline

#2 2024-06-07 10:01:51

IF_Felix
Moderator
Registered: 2022-08-01

Re: httpHeaderSecurity in Report Server 4.6

hi,

This is something that we will investigate in the near future! Expecially the CSP-header.
One quick idea (without testing  it ) to hack this into the reportserver was to change the ReportServer.html ...

changing the tomcat configuration is a way I never thought of ... this sounds like a great idea!

kind regards

Felix

Softwareentwickler bei Infofabrik

Offline

#3 2024-06-07 13:17:04

marcioribeiro1979
Member
Registered: 2023-04-18

Re: httpHeaderSecurity in Report Server 4.6

Hi,

I´ve tried to hack ReportServer.html, but it didn´t work.
I included this code in ReportServer.html:

<html>
  <head>
    <meta http-equiv="content-type" content="text/html; charset=UTF-8">
    <meta http-equiv="Strict-Transport-Security" content="max-age=31536000">

Interesting to notice is that, when I check the root, the tool doesn´t identify the security headers:

./shcheck.py https://myserver:8443/ -d

======================================================
 > shcheck.py - santoru ..............................
------------------------------------------------------
 Simple tool to check security headers on a webserver
======================================================

[*] Analyzing headers of https://myserver:8443/
[*] Effective URL: https://myserver:8443/
[!] Missing security header: X-Frame-Options
[!] Missing security header: X-Content-Type-Options
[!] Missing security header: Strict-Transport-Security
[!] Missing security header: Content-Security-Policy
[!] Missing security header: Referrer-Policy
[!] Missing security header: Permissions-Policy
[!] Missing security header: Cross-Origin-Embedder-Policy
[!] Missing security header: Cross-Origin-Resource-Policy
[!] Missing security header: Cross-Origin-Opener-Policy

However, when I test the ReportServer.html page directly, the tool identifies the headers:

./shcheck.py https://myserver:8443/ReportServer.html -d

======================================================
 > shcheck.py - santoru ..............................
------------------------------------------------------
 Simple tool to check security headers on a webserver
======================================================

[*] Analyzing headers of https://myserver:8443/ReportServer.html
[*] Effective URL: https://myserver:8443/ReportServer.html
[*] Header X-XSS-Protection is present! (Value: 1; mode=block)
[*] Header X-Frame-Options is present! (Value: DENY)
[*] Header X-Content-Type-Options is present! (Value: nosniff)
[*] Header Strict-Transport-Security is present! (Value: max-age=31536000;includeSubDomains)
[!] Missing security header: Content-Security-Policy
[!] Missing security header: Referrer-Policy
[!] Missing security header: Permissions-Policy
[!] Missing security header: Cross-Origin-Embedder-Policy
[!] Missing security header: Cross-Origin-Resource-Policy
[!] Missing security header: Cross-Origin-Opener-Policy

Offline

#4 2024-06-20 12:08:54

IF_Eduardo
Administrator
Registered: 2016-11-01
Website

Re: httpHeaderSecurity in Report Server 4.6

Hi marcioribeiro1979,

what happens when you edit your REPORTSERVER/WAR/WEB-INF/web.xml file directly?

Regards,
Eduardo

Offline

#5 2024-06-21 16:40:02

marcioribeiro1979
Member
Registered: 2023-04-18

Re: httpHeaderSecurity in Report Server 4.6

Hi Eduardo,

Our ReportServer is installed in this folder: /local/reportserver-tomcat

I included the following configuration in these 3 files:

  • /local/reportserver-tomcat/conf/web.xml

  • /local/reportserver-tomcat/webapps/ROOT/WEB-INF/web.xml

  • /local/reportserver-tomcat/ReportServer/WEB-INF/web.xml

<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>hstsEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536000</param-value>
</init-param>
<init-param>
<param-name>hstsIncludeSubDomains</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>DENY</param-value>
</init-param>
</filter>

<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>

Then, I created a simple test page: /local/reportserver-tomcat/ReportServer/test.html

<html>
<body>
<p>Hello World</p>
</body>
</html>

When I test the root folder, I get this result:

./shcheck.py https://myserver:8443 -d

======================================================
 > shcheck.py - santoru ..............................
------------------------------------------------------
 Simple tool to check security headers on a webserver
======================================================

[*] Analyzing headers of https://myserver:8443
[*] Effective URL: https://myserver:8443
[!] Missing security header: X-Frame-Options
[!] Missing security header: X-Content-Type-Options
[!] Missing security header: Strict-Transport-Security
[!] Missing security header: Content-Security-Policy
[!] Missing security header: Referrer-Policy
[!] Missing security header: Permissions-Policy
[!] Missing security header: Cross-Origin-Embedder-Policy
[!] Missing security header: Cross-Origin-Resource-Policy
[!] Missing security header: Cross-Origin-Opener-Policy
-------------------------------------------------------
[!] Headers analyzed for https://myserver:8443
[+] There are 0 security headers
[-] There are not 9 security headers

However, when I test the page, it works:

./shcheck.py https://myserver:8443/test.html -d

======================================================
 > shcheck.py - santoru ..............................
------------------------------------------------------
 Simple tool to check security headers on a webserver
======================================================

[*] Analyzing headers of https://myserver:8443/test.html
[*] Effective URL: https://myserver:8443/test.html
[*] Header X-XSS-Protection is present! (Value: 1; mode=block)
[*] Header X-Frame-Options is present! (Value: DENY)
[*] Header X-Content-Type-Options is present! (Value: nosniff)
[*] Header Strict-Transport-Security is present! (Value: max-age=31536000;includeSubDomains)
[!] Missing security header: Content-Security-Policy
[!] Missing security header: Referrer-Policy
[!] Missing security header: Permissions-Policy
[!] Missing security header: Cross-Origin-Embedder-Policy
[!] Missing security header: Cross-Origin-Resource-Policy
[!] Missing security header: Cross-Origin-Opener-Policy
-------------------------------------------------------
[!] Headers analyzed for https://myserver:8443/test.html
[+] There are 4 security headers
[-] There are not 6 security headers

Offline

Pages: 1

Board footer

Powered by FluxBB