As of Ignition 8.0.8, several new security focused changes were made to HTTP responses. First, the gateway no longer sets the Server header on HTTP responses in an effort to prevent potential information leakage. Second, a significant set of gateway security headers are now set with secure default values. However, we did want to offer the opportunity to change the values of these headers.
The default values for these headers should be appropriate for most installations. However you may need to make changes to the headers in some cases. For example, if you're embedding a perspective session inside of a web based application from another origin, and that stops working after upgrading to 8.0.8+, then it's possible you may need to modify the X-Frame-Options header.
Headers and Values
Each header has separate properties responsible for enabling/disabling the header
| HTTP Header | Enabled System Property | Enabled by Default |
|---|---|---|
| Referrer-Policy |
ignition.http.header.referrer_policy.enabled |
true |
| X-Content-Type-Options |
ignition.http.header.x_content_type_options.enabled |
true |
| X-Frame-Options |
ignition.http.header.x_frame_options.enabled |
true |
| X-XSS-Protection |
ignition.http.header.x_xss_protection.enabled |
true |
In addition, each header has a property to determine the value for the header.
| HTTP Header | Value System Property | Default Value |
|---|---|---|
| Referrer-Policy |
ignition.http.header.referrer_policy.value |
strict-origin-when-cross-origin |
| X-Content-Type-Options |
ignition.http.header.x_content_type_options.value |
nosniff |
| X-Frame-Options |
ignition.http.header.x_frame_options.value |
SAMEORIGIN |
| X-XSS-Protection |
ignition.http.header.x_xss_protection.value |
1; mode=block |
Strict Transport Security
In addition to the headers defined above, Strict-Transport-Security can be enabled (normally it is disabled). Enabling this header can be accomplished by including the Max Age property.
Max Age
Represents the number of seconds that the browser should remember that a site is only to be accessed using HTTPS. Setting this to a number less than zero will disable the header altogether.
Example:
ignition.https.sts.maxAge=31536000
Include Sub Domains
Determines if sub domains should be included. By default is set to false
Example:
ignition.https.sts.includeSubDomains=true/false
Making changes
These changes can be made while the gateway is running, but will require a gateway restart to take effect.
1) Locate the ignition.conf file
On the gateway server, navigate to the Ignition installation directory.
In the installation directory, navigate to "data", and there should be a file named ignition.conf. Open this file in the text editor of your choice. (Note: you may want to create a copy of this file and save it elsewhere, just in case you need to revert any changes made).
2) Search the file for "Java Additional Parameters"
Search the file for the "Java Additional Parameters" line. It should look something like the following:
# Java Additional Parameters
wrapper.java.additional.1=-Ddata.dir=data
#wrapper.java.additional.2=-Xdebug
Under this area is where we'll add new parameters. Lines with a "#" character are commented out, and can be ignored.
3) Make the Change
You'll want to make sure you increment the numeral on each parameter, ignoring commented lines.
In addition, you will need to add a "-D" before the name of the property. For example, we could modify the example above to change the referrer policy:
# Java Additional Parameters
wrapper.java.additional.1=-Ddata.dir=data
#wrapper.java.additional.2=-Xdebug
wrapper.java.additional.2=-Dignition.http.header.referrer_policy.value=same-origin
We can continue to add new lines to make more configuration changes:
# Java Additional Parameters
wrapper.java.additional.1=-Ddata.dir=data
#wrapper.java.additional.2=-Xdebug
wrapper.java.additional.2=-Dignition.http.header.referrer_policy.value=same-origin
wrapper.java.additional.3=-Dignition.http.header.x_xss_protection.enabled=false
If we needed to enable Strict-Transport-Security, we would update our example to the following:
# Java Additional Parameters
wrapper.java.additional.1=-Ddata.dir=data
#wrapper.java.additional.2=-Xdebug
wrapper.java.additional.2=-Dignition.http.header.referrer_policy.value=same-origin
wrapper.java.additional.3=-Dignition.http.header.x_xss_protection.enabled=false
wrapper.java.additional.4=-Dignition.https.sts.maxAge=31536000
wrapper.java.additional.5=-Dignition.https.sts.includeSubDomains=true
4) Save and Restart
Once all of the desired options have been configured, save the ignition.conf file, and restart the gateway. That's it! Your gateway should be using the new configurations once it has started.
Comments
0 comments
Please sign in to leave a comment.