Uploaded image for project: 'AMQ Broker'
  1. AMQ Broker
  2. ENTMQBR-1025

Hawtio console (or its replacement) should implement the latest HTTP security enhancements

XMLWordPrintable

    • Release Notes
    • ?
    • Hide
      AMQ Console now supports the following HTTP security specifications: HTTP Strict Transport Security (HSTS), HTTP Public Key Pinning (HPKP), and X-Content-Type-Options. For HSTS and HPKP, they are not enabled by default but can be configured through the new system property "hawtio.http.strictTransportSecurity" and "hawtio.http.publicKeyPins".
      Show
      AMQ Console now supports the following HTTP security specifications: HTTP Strict Transport Security (HSTS), HTTP Public Key Pinning (HPKP), and X-Content-Type-Options. For HSTS and HPKP, they are not enabled by default but can be configured through the new system property "hawtio.http.strictTransportSecurity" and "hawtio.http.publicKeyPins".
    • Documented as Feature Request
    • AMQ Broker 1839, AMQ Broker 1842

      The web console should implement the latest HTML/JS security extensions, including the following...

      • HTTP Strict Transport Security (HSTS)
        It should be possible for the console to be configured to tell browsers that HTTPS connections are preferred to HTTP
      • Public Key Pinning Extension
        The HTTPS web server responds to the client with a list of hashed public keys, one of which must match the certificates(s) it supplies to client. This is to restrict the risk of man-in-the-middle attacks
      • X-XSS Protection
        The server should respond with the header that tells browsers to enable cross-site scripting filters (on the assumption that the console will not ever ask the browser to make cross-site scripting requests)
      • X Content Type Options
        The server should set the header that disables "content type sniffing" in the browser
      • Content Security Policy
        The server supplies headers that indicate the type of content that a page, and its embedded resources, are likely to supply.

      Most of these extensions are aimed at reducing the risks created by cross-site-scripting attacks. Probably most of them only require setting certain headers in the responses to the browser.

              rhn-support-tasato Tadayoshi Sato
              rhn-support-kboone Kevin Boone
              Petra Svobodova Petra Svobodova (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved:

                  Estimated:
                  Original Estimate - 1 hour
                  1h
                  Remaining:
                  Remaining Estimate - 1 hour
                  1h
                  Logged:
                  Time Spent - Not Specified
                  Not Specified