Uploaded image for project: 'AMQ Broker'
  1. AMQ Broker
  2. ENTMQBR-1025

Hawtio console (or its replacement) should implement the latest HTTP security enhancements

    XMLWordPrintable

Details

    • Release Notes
    • ?
    • Hide
      AMQ Console now supports the following HTTP security specifications: HTTP Strict Transport Security (HSTS), HTTP Public Key Pinning (HPKP), and X-Content-Type-Options. For HSTS and HPKP, they are not enabled by default but can be configured through the new system property "hawtio.http.strictTransportSecurity" and "hawtio.http.publicKeyPins".
      Show
      AMQ Console now supports the following HTTP security specifications: HTTP Strict Transport Security (HSTS), HTTP Public Key Pinning (HPKP), and X-Content-Type-Options. For HSTS and HPKP, they are not enabled by default but can be configured through the new system property "hawtio.http.strictTransportSecurity" and "hawtio.http.publicKeyPins".
    • Documented as Feature Request
    • AMQ Broker 1839, AMQ Broker 1842

    Description

      The web console should implement the latest HTML/JS security extensions, including the following...

      • HTTP Strict Transport Security (HSTS)
        It should be possible for the console to be configured to tell browsers that HTTPS connections are preferred to HTTP
      • Public Key Pinning Extension
        The HTTPS web server responds to the client with a list of hashed public keys, one of which must match the certificates(s) it supplies to client. This is to restrict the risk of man-in-the-middle attacks
      • X-XSS Protection
        The server should respond with the header that tells browsers to enable cross-site scripting filters (on the assumption that the console will not ever ask the browser to make cross-site scripting requests)
      • X Content Type Options
        The server should set the header that disables "content type sniffing" in the browser
      • Content Security Policy
        The server supplies headers that indicate the type of content that a page, and its embedded resources, are likely to supply.

      Most of these extensions are aimed at reducing the risks created by cross-site-scripting attacks. Probably most of them only require setting certain headers in the responses to the browser.

      Attachments

        Issue Links

          causes

          Task - Represents a small unit of work that is not end-user facing. ENTMQBR-1883 Document "latest HTTP security enhancements" for HawtIO console

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved
          is related to

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. ENTMQBR-2220 Apply 'Content Security Policy' HTTP header to Hawtio

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          mentioned in

          Page Loading...

          Page Loading...

          Page Loading...

          Activity

            People

              rhn-support-tasato Tadayoshi Sato
              rhn-support-kboone Kevin Boone
              Petra Svobodova Petra Svobodova (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - 1 hour
                  1h
                  Remaining:
                  Remaining Estimate - 1 hour
                  1h
                  Logged:
                  Time Spent - Not Specified
                  Not Specified