Issue
-
HTTP methods like HEAD, OPTIONS, TRACE may provide information about the application that can be used in attacks like XST, CSRF, steal of sensitive information.
How we can disable insecure/unnecessary http methods? -
How to enable the SECURE attribute to disallow the cookie to be sent over an unencrypted channel?
Environment
- Liferay DXP 7.1+
Resolution
-
To disable insecure or unnecessary HTTP methods like OPTIONS, HEAD, and TRACE, you can configure your web server to restrict access to these methods. The exact steps may vary depending on the web server you are using. Here are instructions for two popular web servers, Apache and Nginx:
Disabling insecure HTTP methods in Apache:
Open your Apache configuration file (e.g., httpd.conf or apache2.conf) in a text editor.
Add the following lines to the file:<Directory "/path/to/your/web/root"> <LimitExcept GET POST> Order deny,allow Deny from all </LimitExcept> </Directory>
Replace "/path/to/your/web/root" with the actual path to your web root directory.
Save the changes to the configuration file.
Restart Apache to apply the changes.
This configuration denies access to all HTTP methods except GET and POST, effectively disabling OPTIONS, HEAD, TRACE, and other methods.
Disabling insecure HTTP methods in Nginx:
Open your Nginx configuration file (e.g., nginx.conf) in a text editor.
Add the following lines inside the "http" block:location / { if ($request_method !~ ^(GET|POST)$) { return 405; } # ... other configuration directives }
Save the changes to the configuration file.
Restart Nginx to apply the changes.
This configuration returns a 405 (Method Not Allowed) response for any HTTP method other than GET and POST, effectively disabling OPTIONS, HEAD, TRACE, and other methods.
By configuring your web server to deny access to insecure HTTP methods, you can protect against attacks that exploit vulnerabilities related to these methods, such as Cross-Site Tracing (XST) and Cross-Site Request Forgery (CSRF).
- The SECURE attribute ensures that the cookie is only sent over an encrypted (HTTPS) connection and not over an unencrypted (HTTP) channel.
Set this to true to invalidate the session when a user logs into the portal. This helps prevent phishing. Set this to false if you need the guest user and the authenticated user to have the same session.
Set this to false if the property "company.security.auth.requires.https" is set to true and you want to maintain the same credentials across HTTP and HTTPS sessions.
Env: LIFERAY_SESSION_PERIOD_ENABLE_PERIOD_PHISHING_PERIOD_PROTECTION
Defaults:session.enable.phishing.protection=true