"HTTP security header not recognized" and weak SSL/TLS key transfers

Andreas.Brueck · September 11, 2023, 10:23am

Hello,

our UberJar applications do not meet two security tests of OWASP:

HTTP security header not recognized (X-Content-Type-Options HTTP header missing)

I have tried to set the header here using my own implementation of CubaBootstrapListener. This works for the screens, but not for the other resources like Vaadin files. I found a solution on the web using Jetty rewrite (https://github.com/jpos/jPOS-EE/blob/master/modules/testbed/src/dist/cfg/jetty.xml), but the necessary rewrite class doesn’t seem to be included in UberJar.

Weak SSL/TLS key transfers

The cipher suites TLSv1.2 AES256-SHA256 RSA, TLSv1.2 AES128-SHA256 RSA, TLSv1.2 AES256-GCMSHA384 RSA, TLSv1.2 AES128-GCMSHA256 RSA, TLSv1.2 AES256-SHA RSA, TLSv1.2 AES128-SHA RSA should be removed. Again, the settings (Knowledge - ForgeRock BackStage) in Jetty.xml seem to be ignored.

Does anyone have a solution for these problems?

Greetings
Andreas

albudarov · September 11, 2023, 1:19pm

Hi,
As I know, weak SSL/TSL cypher suits can be disabled on the Java runtime level.

See e.g.

Andreas.Brueck · September 15, 2023, 9:38am

Hello @albudarov ,

thank you for your answer. I will try that.

Do you have a solution how to add the X-Content-Type-Options HTTP header?

Greetings
Andreas

albudarov · September 15, 2023, 10:26am

My honest advice would be to stop using UberJar packaging method. It’s just not flexible enough.
Build WAR files instead and deploy them to Tomcat or Jetty server. Thus you will be in the full control of the servlet container and all its settings.