OneClick's Tomcat process is susceptible to the following vulnerabilities
X-Frame-Options – clickjacking attack
X-XSS-Protection – cross-site scripting attack
X-Content-Type-Options – content type sniffing
HSTS – strict transport security
Release: 10.3.2, 10.4, 10.4.1, 10.4.2 / Netops 20.2.x, 21.2.x
Component: SPCOCK - Spectrum OneClick
To secure OneClick and protect against these attacks use the following procedure to enable Tomcat's antiClickJacking feature. This will
add the necessary response headers to protect against these types of attacks.
STEPS TO SECURE
-------------------------------
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
<async-supported>true</async-supported>
</filter>
** You will need to add the <init-param></init-param> block in the section above
example
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
example
Tomcat will now add the necessary response headers to prevent the aforementioned vulnerabilities. This can be verified by
using the Web Browser's Dev Tools (Typically: F12)
Select the 'Network' Tab
Click the '/spectrum' link (May need to refresh the web page)
Select the 'Headers' Tab
Check the response header
Strict-Transport-Security: max-age=0
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Note: When upgrading Spectrum in the future it is likely that the changes to the web.xml file will be lost. You will
need to add these changes back after the upgrade is complete.
The suggested modifications are out of the box included in Spectrum 10.4.2.1 (aka 20.2.3) level.