Uploaded image for project: 'openATTIC'
  1. openATTIC
  2. OP-3193

Improve session handling security and block clickjacking attacks

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.7.3
    • Fix Version/s: 3.7.3
    • Component/s: Backend
    • Labels:
    • External issue ID:
      1132543

      Description

      To enhance the security of oA, the following two settings should be added to settings.py:

      SESSION_COOKIE_PATH = '/openattic/'
      SESSION_COOKIE_AGE = '1209600'

      Moreover, in webui/app/scripts/module.js, the following should be added to the app.config(($httpProvider) block, to prohibit the oA application to be embeddable in an iFrame:

      $httpProvider.defaults.headers.get["X-Frame-Options"] = "DENY";

        Attachments

          Activity

            People

            Assignee:
            skrah Krah, Sebastian
            Reporter:
            lgrimmer Grimmer, Lenz
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: