-
Story
-
Resolution: Done
-
Major
-
None
-
AMQ 7.0.3.GA
The web console should implement the latest HTML/JS security extensions, including the following...
- HTTP Strict Transport Security (HSTS)
It should be possible for the console to be configured to tell browsers that HTTPS connections are preferred to HTTP
- Public Key Pinning Extension
The HTTPS web server responds to the client with a list of hashed public keys, one of which must match the certificates(s) it supplies to client. This is to restrict the risk of man-in-the-middle attacks
- X-XSS Protection
The server should respond with the header that tells browsers to enable cross-site scripting filters (on the assumption that the console will not ever ask the browser to make cross-site scripting requests)
- X Content Type Options
The server should set the header that disables "content type sniffing" in the browser
- Content Security Policy
The server supplies headers that indicate the type of content that a page, and its embedded resources, are likely to supply.
Most of these extensions are aimed at reducing the risks created by cross-site-scripting attacks. Probably most of them only require setting certain headers in the responses to the browser.
- causes
-
ENTMQBR-1883 Document "latest HTTP security enhancements" for HawtIO console
- Closed
- is related to
-
ENTMQBR-2220 Apply 'Content Security Policy' HTTP header to Hawtio
- Closed