SecurityHeadersPolicy
in alfresco-security-config.xml
. We did this mainly to improve mitigation of clickjacking attacks but we also added 2 headers to tighten up the security in Internet Explorer after a tip from Jens Goldhammer at FME.<config evaluator='string-compare' condition='SecurityHeadersPolicy'>
<headers>
<header>
<name>X-Frame-Options</name>
<value>SAMEORIGIN</value>
</header>
<header>
<name>X-Content-Type-Options</name>
<value>nosniff</value>
</header>
<header>
<name>X-XSS-Protection</name>
<value>1; mode=block</value>
</header>
</headers>
</config>
SAMEORIGIN
which means that Share pages are only allowed to be '(i)framed' inside Share or other webapps that happen to live under the same domain. In other words it will i.e. be possible to include http://www.acme.com/share
inside an iframe on http://www.acme.com/portal
.share-config-custom.xml
file:<config evaluator='string-compare' condition='SecurityHeadersPolicy'>
<headers>
<header>
<name>X-Frame-Options</name>
<value>DENY</value>
</header>
</headers>
</config>
<config evaluator='string-compare' condition='SecurityHeadersPolicy'>
<headers>
<header>
<name>X-Frame-Options</name>
<enabled>false</enabled>
</header>
</headers>
</config>
IFramePolicy
. It will decide which urls that Alfresco Share will allow to be put inside an iframe in the Alfresco Share client.nosniff
in the header.1; mode=block
' for this header, which means that if IE *thinks* it has found an XSS attack it will not execute the code (instead of sanitizing it and running it which is the default).0
' which means that IE shall not even try and inspect the code for XSS attacks.Strict-Transport-Security
header as an example, it is used to force your browser to only allow https
and not http
communication. It is not provided by default in Alfresco Share but can be added by placing the following code inside your share-config-custom.xml
file:<config evaluator='string-compare' condition='SecurityHeadersPolicy'>
<headers>
<header>
<name>Strict-Transport-Security</name>
<value>max-age=31536000</value>
</header>
</headers>
</config>
Ask for and offer help to other Alfresco Content Services Users and members of the Alfresco team.
Related links:
By using this site, you are agreeing to allow us to collect and use cookies as outlined in Alfresco’s Cookie Statement and Terms of Use (and you have a legitimate interest in Alfresco and our products, authorizing us to contact you in such methods). If you are not ok with these terms, please do not use this website.