There are a number of properties that need to be explicitly set by altering some of the values in your
general.properties file.
The recommended settings to deliver the highest level of security are the following:
•
use_secure_urls=true (Uses a lengthened token string, rather than just digits)
•
session_client_check=on (Prevents the session token being shared between browsers/users – i.e. By users copying & pasting URLs)
•
enable_xss_protection=true (Prevents cross-site-scripting)
•
password_autocomplete=off (Prevents users saving / autocompleting passwords in the web browser)
•
allow_credentials_in_url=false (Prevents username & password being passed as query-string arguments)
•
illegal.upload.extension=exe|com|bat|vbs (Prevents users uploading potentially dangerous executable code into AIS)
•
use_http_only_cookies=true•
show_stacktrace=false (Prevents a stack trace being shown to the user in the event of an error, which could aid a would-be attacker)
Since these settings are deviations from the application defaults, you should follow the instructions
here to achieve an upgrade-proof configuration.
Note that you should change these settings in
all of the
general.properties files, including those in the
WS_CONFIG subfolders.