Why certain Security Headers are not included in the HTTP Request and Response of Liferay DXP

Issue

  • The following headers are missing in Liferay:
    1. Missing ”X-Content-Type-Options” header 
    2. Missing ”X-XSS Protection” header 
    3. Missing ”X-Frame-Options” header
    4. Missing ”Content-Security-Policy” header
    5. Missing ”Strict-Transport-Security” header 
    6. Missing cross-origin resource sharing(CORS) 
    7. Missing ”Public-Key-Pins” header 

Environment

  • Liferay DXP 7.0-7.2

Resolution

  •  The following headers are available by default when inspected any of the requests.
    1. "X-Content-Type-Options" header
    2. "X-XSSProtection" header
    3. "X-Frame-Options" headers Screenshot_from_2020-01-28_17-22-27.png
  • For the rest of the headers:
    1. "Content-Security-Policy" header: Liferay Portal doesn't directly support CSP in the sense that there's no configuration / UI for setting CSP directives. However, the CSP directives can be added on your own (eg, via your web server, theme). The Content Security Policy (CSP) article might help to achieve this.
    2. "Strict-Transport-Security" header: This configuration should be performed on Application Server like Tomcat (and not on Liferay) side.  Enabling HTTP Strict Transport Security (HSTS) article may help to achieve this.
    3. "Cross-origin resource sharing (CORS)"header: The Cross-Origin Resource Sharing is not managed by any Liferay configuration. The below articles have some helpful information and examples of web server configurations that can be used to enable CORS.
    4. "Public-Key-Pins" header: This configuration should be performed at webserver. This article: HTTP Public Key Pinning (HPKP) might help in enabling the Public-key-pins. 

Additional Information

Please Note: The above hyperlinked articles are unofficial articles that are shared to basic information.  Your use of those articles is completely at your discretion.

The headers described from 4 to 7 should be configured either at the application server or at the web server and both the platforms fall beyond the scope of Liferay Support.

Este artigo foi útil?
Utilizadores que acharam útil: 0 de 0