Security based Header changes

Permanently deleted user

August 21, 2018 05:19

Hi

 

We have been asked to asses the header handling in a clients site after a set of penetration tests was performed.

 

The following items were flagged, but a search of the internet leaves some ambiguity about what these header values are set to, how they will affect a working instance of Geocortex Essentials. I understand they are set in IIS as custom headers, but I'm concerned they may cause issues with the application.

 

 

Can anyone enlighten me?

 

Thanks

 

Header Name:

 

Content-Security-Policy

 

HTTP Strict-Transport-Security

 

X-Frame-Options

 

X-Content-Type-Options

 

X-XSS Protection

 

 

 

0

• 

  Permanently deleted user

  November 16, 2018 23:57

  Hi Roland,

   

  I did a quick search of our code base and bug tracker and I didn't find any information about these headers.  I'm not sure that Essentials would set them, or even care what values are used if they are set.  

   

  From my brief research, I think these headers are intended to ensure that a compliant browser does not allow any cross-site scripting attacks.  However, I'm not sure what effect, if any, that would have on the Geocortex viewer.

   

  I expect that you will not encounter any issues if you add these headers.  If you do, though, then the browser console should show you why the errors are occuring and may even suggest a workaround (for example, if you define HTTP Strict-Transport-Security then you may also need to migrate to an HTTPS server to enforce the security)

   

  If you do encounter any unexpected issues, please either post here or open a support ticket if it's urgent.

   

  Regards,

   

  -Malcolm

  0

Please sign in to leave a comment.