WebSphere Portal Security Considerations

Setting headers on IBM HTTP Server

Stop the HTTP server.
Log on to the web server and edit the following file:
/opt/IBM/HTTPServer/conf/httpd.conf
Enable below module –

LoadModule headers_module modules/mod_headers.so

<ifModule mod_headers.c>
Header set X-Permitted-Cross-Domain-Policies “none”
Header set X-XSS-Protection “1; mode=block”
Header set X-Frame-Options “DENY”
</ifModule>

Restart the HTTP server.

Setting headers on WebSphere Application server – optional

WebSphere Portal offers protection against XSS, enabled with the security.css.protection setting in the Configuration Service.

Above setting should be enabled by default

WebSphere Application Server offers protection against XSS, enabled with the com.ibm.ws.security.addHttpOnlyAttributeToCookies custom property for Global Security. When set, the HTTP-only attribute, HttpOnly, will be set for LTPA tokens. Browsers will not allow scripts access to cookies for which HTTPOnly is set

X-Frame-Options Response Header

Log into WebSphere Integrated Solutions Console as the WebSphere Administrator user.
In the left panel, open Servers, and then open Server Types. Click WebSphere application servers.
In the Application servers table, click the server where InfoSphere Business Glossary is installed.
Under Server Infrastructure, open Java and Process Management, and then click Process definition.
Under Additional Properties, click Java Virtual Machine.
Under Additional Properties, click Custom Properties.
Click New. Complete these steps to create and apply a system configuration property:
In the Name field, type bg.xFrameOptions.
In the Value field, type in the X-Frame-Option HTTP response header that you need (for example: SAMEORIGIN).
Click Apply, and then click OK.
In the Messages window, click Save to save the new property when WebSphere Application Server is restarted.
Stop and restart WebSphere Application Server.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s