Uploaded image for project: 'A-MQ Broker'
  1. A-MQ Broker
  2. ENTMQBR-1025

Hawtio console (or its replacement) should implement the latest HTTP security enhancements

    Details

    • Target Release:
    • Sprint:
      AMQ Broker 1839, AMQ Broker 1842
    • Affects:
      Release Notes
    • Release Notes Text:
      Hide
      AMQ Console now supports the following HTTP security specifications: HTTP Strict Transport Security (HSTS), HTTP Public Key Pinning (HPKP), and X-Content-Type-Options. For HSTS and HPKP, they are not enabled by default but can be configured through the new system property "hawtio.http.strictTransportSecurity" and "hawtio.http.publicKeyPins".
      Show
      AMQ Console now supports the following HTTP security specifications: HTTP Strict Transport Security (HSTS), HTTP Public Key Pinning (HPKP), and X-Content-Type-Options. For HSTS and HPKP, they are not enabled by default but can be configured through the new system property "hawtio.http.strictTransportSecurity" and "hawtio.http.publicKeyPins".
    • Release Notes Docs Status:
      Documented as Feature Request
    • QE Test Coverage:
      ?

      Description

      The web console should implement the latest HTML/JS security extensions, including the following...

      • HTTP Strict Transport Security (HSTS)
        It should be possible for the console to be configured to tell browsers that HTTPS connections are preferred to HTTP
      • Public Key Pinning Extension
        The HTTPS web server responds to the client with a list of hashed public keys, one of which must match the certificates(s) it supplies to client. This is to restrict the risk of man-in-the-middle attacks
      • X-XSS Protection
        The server should respond with the header that tells browsers to enable cross-site scripting filters (on the assumption that the console will not ever ask the browser to make cross-site scripting requests)
      • X Content Type Options
        The server should set the header that disables "content type sniffing" in the browser
      • Content Security Policy
        The server supplies headers that indicate the type of content that a page, and its embedded resources, are likely to supply.

      Most of these extensions are aimed at reducing the risks created by cross-site-scripting attacks. Probably most of them only require setting certain headers in the responses to the browser.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  tadayosi Tadayoshi Sato
                  Reporter:
                  kboone Kevin Boone
                  Tester:
                  Petra Svobodova
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  9 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Time Tracking

                    Estimated:
                    Original Estimate - 1 hour
                    1h
                    Remaining:
                    Remaining Estimate - 1 hour
                    1h
                    Logged:
                    Time Spent - Not Specified
                    Not Specified