Secure header configurations protect you from website attacks such as XSS and Clickjacking. The subsections in this topic describe the various methods that you can configure on your OFS AAI system to make it secure from such attacks.
Topics:
· Configure Security Header in the Database v8.1.2.0.0+
· Configure for X-Frame-Options
· Configure Referer Header Validation
· Configure HSTS in Response Header
Starting 8.1.2.0.0, certain Security Header Configurations are moved from the $FIC_HOME/ficweb/webroot/WEB-INF/web.xml File to the AAI_SETUP_PROPS Table of the Config Schema in the database.
NOTE:
If the OFS AAI Release is 8.1.2.0.0 version, apply the 31313960 One-Off Patch to make the Security Header Configurations in the Database Feature available in your application.
Do not apply the Patch on later versions, since the feature is regularized in later versions.
Use the SQL MERGE Statements examples shown in the following sections to configure the required parameters.
The MERGE Statement compares the V_PROP_NAME value in the Target Table with the V_PROP_NAME value in the Source Table and updates the Target Table if there is a mismatch.
The valid V_PROP_VALUE values are TRUE or FALSE. The default is FALSE.
Configure the value to TRUE to set Xframe options.
MERGE INTO aai_setup_props ut
USING (
SELECT 'FRAME-OPTIONS-ENABLED' AS V_PROP_NAME FROM dual
) md ON (ut.V_PROP_NAME = md.V_PROP_NAME)
WHEN NOT MATCHED THEN
INSERT (V_PROP_NAME,V_PROP_VALUE,V_PROP_TIER,V_SEEDED_BY)
VALUES ('FRAME-OPTIONS-ENABLED','FALSE','WEB','AAI')
/
The valid V_PROP_VALUE values are DENY or SAMEORIGIN. The default is DENY.
Configure ALLOW-FROM for X-Frame-Options to limit the domains and to protect against external agencies creating attacks by embedding content similar to your content and steal user data.
MERGE INTO aai_setup_props ut
USING (
SELECT 'X-FRAME-OPTIONS' AS V_PROP_NAME FROM dual
) md ON (ut.V_PROP_NAME = md.V_PROP_NAME)
WHEN NOT MATCHED THEN
INSERT (V_PROP_NAME,V_PROP_VALUE,V_PROP_TIER,V_SEEDED_BY)
VALUES ('X-FRAME-OPTIONS','SAMEORIGIN','WEB','AAI')
/
The valid V_PROP_VALUE values are set as per the CSP Rules. The default is NONE.
If you set this to NONE, the configuration is not enabled.
MERGE INTO aai_setup_props ut
USING (
SELECT 'CONTENT-SECURITY-POLICY' AS V_PROP_NAME FROM dual
) md ON (ut.V_PROP_NAME = md.V_PROP_NAME)
WHEN NOT MATCHED THEN
INSERT (V_PROP_NAME,V_PROP_VALUE,V_PROP_TIER,V_SEEDED_BY)
VALUES ('CONTENT-SECURITY-POLICY','NONE','WEB','AAI')
/
The valid V_PROP_VALUE values are *, <origin>, or NONE. The default is NONE.
ACCESS-CONTROL-ALLOW-ORIGIN, ACCESS-CONTROL-ALLOW-CREDENTIALS, and ACCESS-CONTROL-ALLOW-METHODS are not enabled when ACCESS-CONTROL-ALLOW-ORIGIN is configured to NONE.
MERGE INTO aai_setup_props ut
USING (
SELECT 'ACCESS-CONTROL-ALLOW-ORIGIN' AS V_PROP_NAME FROM dual
) md ON (ut.V_PROP_NAME = md.V_PROP_NAME)
WHEN NOT MATCHED THEN
INSERT (V_PROP_NAME,V_PROP_VALUE,V_PROP_TIER,V_SEEDED_BY)
VALUES ('ACCESS-CONTROL-ALLOW-ORIGIN','NONE','WEB','AAI')
/
The only valid V_PROP_VALUE value is TRUE.
This configuration is not enabled when ACCESS-CONTROL-ALLOW-ORIGIN is set to NONE.
MERGE INTO aai_setup_props ut
USING (
SELECT 'ACCESS-CONTROL-ALLOW-CREDENTIALS' AS V_PROP_NAME FROM dual
) md ON (ut.V_PROP_NAME = md.V_PROP_NAME)
WHEN NOT MATCHED THEN
INSERT (V_PROP_NAME,V_PROP_VALUE,V_PROP_TIER,V_SEEDED_BY)
VALUES ('ACCESS-CONTROL-ALLOW-CREDENTIALS','TRUE','WEB','AAI')
/
The valid V_PROP_VALUE values are GET, POST, PUT, and OPTIONS.
This configuration is not enabled when ACCESS-CONTROL-ALLOW-ORIGIN is set to NONE.
MERGE INTO aai_setup_props ut
USING (
SELECT 'ACCESS-CONTROL-ALLOW-METHODS' AS V_PROP_NAME FROM dual
) md ON (ut.V_PROP_NAME = md.V_PROP_NAME)
WHEN NOT MATCHED THEN
INSERT (V_PROP_NAME,V_PROP_VALUE,V_PROP_TIER,V_SEEDED_BY)
VALUES ('ACCESS-CONTROL-ALLOW-METHODS','GET, POST, PUT, OPTIONS','WEB','AAI')
/
The valid V_PROP_VALUE values are TRUE or FALSE. The default is FALSE.
Configure ACCESS-CONTROL-HEADERS-ENABLED to TRUE to enable ACCESS-CONTROL-ALLOW-HEADERS and ACCESS-CONTROL-EXPOSE-HEADERS.
MERGE INTO aai_setup_props ut
USING (
SELECT 'ACCESS-CONTROL-HEADERS-ENABLED' AS V_PROP_NAME FROM dual
) md ON (ut.V_PROP_NAME = md.V_PROP_NAME)
WHEN NOT MATCHED THEN
INSERT (V_PROP_NAME,V_PROP_VALUE,V_PROP_TIER,V_SEEDED_BY)
VALUES ('ACCESS-CONTROL-HEADERS-ENABLED','TRUE','WEB','AAI')
/
The valid V_PROP_VALUE values are Origin, X-Requested-With, Content-Type, Accept, Authorization, sessionId, _csrf, X-PING, or NONE. The default is NONE.
This configuration is enabled when ACCESS-CONTROL-HEADERS-ENABLED is set to TRUE.
MERGE INTO aai_setup_props ut
USING (
SELECT 'ACCESS-CONTROL-ALLOW-HEADERS' AS V_PROP_NAME FROM dual
) md ON (ut.V_PROP_NAME = md.V_PROP_NAME)
WHEN NOT MATCHED THEN
INSERT (V_PROP_NAME,V_PROP_VALUE,V_PROP_TIER,V_SEEDED_BY)
VALUES ('ACCESS-CONTROL-ALLOW-HEADERS','NONE','WEB','AAI')
/
The valid V_PROP_VALUE values are v*, Authorization, or NONE. The default is NONE.
This configuration is enabled when ACCESS-CONTROL-HEADERS-ENABLED is set to TRUE.
MERGE INTO aai_setup_props ut
USING (
SELECT 'ACCESS-CONTROL-EXPOSE-HEADERS' AS V_PROP_NAME FROM dual
) md ON (ut.V_PROP_NAME = md.V_PROP_NAME)
WHEN NOT MATCHED THEN
INSERT (V_PROP_NAME,V_PROP_VALUE,V_PROP_TIER,V_SEEDED_BY)
VALUES ('ACCESS-CONTROL-EXPOSE-HEADERS','NONE','WEB','AAI')
/
The valid V_PROP_VALUE values are TRUE or FALSE. The default is FALSE.
Configure this value to TRUE to allow Referrer URLs.
MERGE INTO aai_setup_props ut
USING (
SELECT 'REFERRER-POLICY-ENABLED' AS V_PROP_NAME FROM dual
) md ON (ut.V_PROP_NAME = md.V_PROP_NAME)
WHEN NOT MATCHED THEN
INSERT (V_PROP_NAME,V_PROP_VALUE,V_PROP_TIER,V_SEEDED_BY)
VALUES ('REFERRER-POLICY-ENABLED','FALSE','WEB','AAI')
/
The only valid V_PROP_VALUE value is NONE.
Configure this value to NONE to set the HOST URL as the allowed URL in the following format:
http://<HOST_NAME>:<PORT_NUMBER>/
Separate URLs with a single space. Adding the URLs without a space between them or adding two or more spaces between them results in errors.
MERGE INTO aai_setup_props ut
USING (
SELECT 'ALLOWED-REFERRER-URLS' AS V_PROP_NAME FROM dual
) md ON (ut.V_PROP_NAME = md.V_PROP_NAME)
WHEN NOT MATCHED THEN
INSERT (V_PROP_NAME,V_PROP_VALUE,V_PROP_TIER,V_SEEDED_BY)
VALUES ('ALLOWED-REFERRER-URLS','NONE','WEB','AAI')
/
Configure X-Frame-Options to protect against external agencies creating attacks by embedding content similar to your content and steal user data.
NOTE:
In v8.1.2.0.0 and later versions, this configuration can be set in the database. For details on how to do it, see the Configure Security Header in the Database (v8.1.2.0.0+) Section.
To configure X-Frame-Options, set the following security filters configuration for the response header:
web.xml file found in the $FIC_HOME/ficweb/webroot/WEB-INF/ directory is by default configured to set X-Frame-Options and header for response header. Add ALLOW-FROM for X-Frame-Options to limit the domains.
X-Frame-Options
<filter>
<filter-name>FilterServlet</filter-name>
<filter-class>com.iflex.fic.filters.FilterServlet</filter-class>
<init-param>
<param-name>mode</param-name>
<param-value>ALLOW-FROM <URL1>/ <URL2>/</param-value>
</init-param>
</filter>
NOTE:
· If ALLOW-FROM is not configured, then the SAMEORIGIN attribute is set in response, where URL1 and URL2 refer to different domain URLs.
· X-Frame-Options is supported only on the Internet Explorer browser.
· Separate <URL1>/ and <URL2>/ with a single space. Adding the URLs without a space between them, or adding two or more spaces between them, results in errors. Make sure that <URL> ends with a forward slash (/).
Configure Cross Origin Request (CORS) to use additional HTTP headers to communicate with browsers to allow a web application running at an origin, access to selected resources from another origin.
NOTE:
In v8.1.2.0.0 and later versions, this configuration can be set in the database. For details on how to do it, see the Configure Security Header in the Database (v8.1.2.0.0+) Section.
Set the Access-Control-Allow-Origin header in the web.xml file.
For more information, see the Setting Access-Control-Allow-Origin header section in the OFS Analytical Applications Infrastructure Administration Guide.
Content Security Policy (CSP) adds a layer of security to detect and avert website attacks such as Cross-Site Scripting (XSS) and data injection attacks.
NOTE:
The configurations to set the Content Security Policy are supported only on Mozilla Firefox and Google Chrome browsers.
In v8.1.2.0.0 and later versions, this configuration can be set in the database. For details on how to do it, see the Configure Security Header in the Database (v8.1.2.0.0+) Section.
To configure CSP, follow these steps:
1. Navigate to the web.xml file in the $FIC_HOME/ficweb/webroot/WEB-INF/ directory.
2. Find the following tag:
<context-param>
<param-name>DOCSERVICE</param-name>
<param-value>ExternalWSManager</param-value>
</context-param>
3. Add the following tags after the tag in Step 2:
a. Use the following tag to maintain the default configuration:
<context-param>
<param-name>default-src</param-name>
<param-value>default-src 'self'</param-value>
</context-param>
<context-param>
<param-name>script-src</param-name>
<param-value>script-src 'self' 'unsafe-inline' 'unsafe-eval'</param-value>
</context-param>
<context-param>
<param-name>img-src</param-name>
<param-value>img-src 'self' data:</param-value>
</context-param>
<context-param>
<param-name>style-src</param-name>
<param-value>style-src 'self' 'unsafe-inline'</param-value>
</context-param>
WARNING:
Validate the web.xml file and remove any existing duplicate tags to avoid configuration issues.
If you want to maintain the default configuration, retain the tags as shown in the preceding list. However, if you want to custom configure the tags, see the following example and modify as required:
b. Use the following tag to custom configure the default configuration:
<context-param>
<param-name>default-src</param-name>
<param-value>default-src 'self'</param-value>
</context-param>
<context-param>
<param-name>script-src</param-name>
<param-value>script-src <SCRURL> 'self' 'unsafe-inline' 'unsafe-eval'</param-value>
</context-param>
<context-param>
<param-name>img-src</param-name>
<param-value>img-src <IMGURL> 'self' data:</param-value>
</context-param>
<context-param>
<param-name>style-src</param-name>
<param-value>style-src <CSSURL> 'self' 'unsafe-inline'</param-value>
</context-param>
In the previous example, define the policy by replacing:
· default-src: with no value. This value sets to self.
· <SCRURL>: with the URL of the script that you want to allow to run, which prevents any other script from running.
· <IMGURL>: with the image URLs from trusted sources from which you want to load images and prevent images from untrusted sources.
· <CSSURL>: with the URL of the stylesheet to allow styles from the specified stylesheet and to prevent styles from other sources.
Referrer Header Validation protects against CSRF attacks by allowing validated host URLs.
NOTE:
In v8.1.2.0.0 and later versions, this configuration can be set in the database. For details on how to do it, see the Configure Security Header in the Database (v8.1.2.0.0+) Section.
To configure Referrer Header validation, follow these steps:
1. Navigate to the web.xml file in the $FIC_HOME/ficweb/webroot/WEB-INF/ directory.
2. Add the following tag:
<filter>
<filter-name>FilterServlet</filter-name>
<filter-class>com.iflex.fic.filters.FilterServlet</filter-class>
<init-param>
<param-name>AllowHosts</param-name>
<param-value><URL1>/ <URL2>/</param-value>
</init-param>
</filter>
NOTE:
1 Separate <URL1> and <URL2> with a single space. Adding the URLs without a space between them, or adding two or more spaces between them, results in errors. Make sure that <URL> ends with a forward slash (/).
2 If you choose to set Referrer-Policy
no-referrer, then follow these steps. The above steps to configure
Referrer Header validation are not required.
If your OFS AAI version is 8.1.0.0.0, then you must apply the one-off patch
32499890 for the following configuration. If
your OFS AAI is 8.1.0.2.0 or later ML versions, then the following configuration
is available by default.
a. Open the web.xml
file in the $FIC_HOME/ficweb/webroot/WEB-INF/
directory. The REFERRER_POLICY_FLAG is set to
TRUE by default in the web.xml
file as shown in the following tag:
<context-param>
<param-name>REFERRER_POLICY_FLAG</param-name>
<param-value>TRUE</param-value>
</context-param>
b. Modify the referrer policy in the web.xml file to FALSE.
Set the HTTP Strict Transport Security (HSTS) in the response header to allow server application interaction with only the client over Hypertext Transfer Protocol Secure (HTTPS). Configure the response header field Strict-Transport-Security through the Oracle HTTP Server (OHS).
To configure HSTS, follow these steps:
1. Open the OHS conf file httpd.conf in the $INSTANCE_HOME/INSTANCE_NAME/config/OHS/INSTANCE_NAME/ directory.
2. Add the following in the file and save it:
Header set Strict-Transport-Security: max-age=63072000; includeSubdomains;
3. Restart OHS.