JobScheduler Secure Operation - HTTP Response Headers

Summary

• A number of HTTP Response Headers can be used to adjust JOC Cockpit to security needs.
• JOC Cockpit ships with the Jetty Servlet Container, therefore you can adjust the Jetty configuration to make use of individual HTTP Response Headers and values.
• Consider use of default Headers and values by JOC Cockpit as explained below. Should you not be happy with what you find then please apply the below instructions how to add Headers individually for your environment.

Default HTTP Response Headers

• X-Content-Type-Options: nosniff
• X-Frame-Options: sameorigin
• X-XSS-Protection: 1; mode=block
• Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self'
• Referrer-Policy: strict-origin-when-cross-origin
• Strict-Transport-Security: max-age=31536000; includeSubDomains
• Permissions-Policy:  accelerometer=(none), ambient-light-sensor=(none), animations=(none), autoplay=(none), camera=(none), cookie=(none), document-stream-insertion=(none), domain=(none), encrypted-media=(none), fullscreen=(none), geolocation=(none), gyroscope=(none); image-compression=(none), legacy-image-formats=(none), magnetometer=(none), max-downscaling-image=(none), microphone=(none), midi=(none), payment=(none), picture-in-picture=(none), speaker=(none), sync-script=(none), sync-xhr=(none), unsized-media=(none), usb=(none), vertical-scroll=(none), vr=(none)

The above mentioned HTTP Response Headers are available with JOC Cockpit.

FEATURE AVAILABILITY STARTING FROM RELEASE 1.13.8

Apply HTTP Response Headers

Should you operate a JobScheduler release that ships without the above default Headers or should you want to add individual Headers and values then please proceed as follows:

• Check your JobScheduler release to identify the Jetty version used:
  • Releases since 1.12.7 make use of Jetty 9.4.x due to vulnerability issues in previous Jetty releases:
    JOC-521 - Getting issue details... STATUS
  • Should you operate a JobScheduler release earlier than release 1.12.7 then please get in contact as this suggests to update to a later 1.12 LTS release or to a newer JobScheduler branch. Do not use the below instructions as they do not apply to earlier Jetty releases and as you should be more concerned about the Jetty vulnerability issues than use of security related Headers.
• Open the file  $JETTY_BASE/start.ini
  • Find the file start.ini 
    • for Linux e.g. from /home/[user]/sos-berlin.com/joc
    • for Windows e.g. from C:\ProgramData\sos-berlin.com\joc
  • Add to this file the line:
    • Changes to start.ini

       --module=rewrite

• Open the file  $JETTY_HOME/etc/jetty-rewrite.xml
  • Find a full sample of this file: jetty-rewrite.xml
  • Find the file jetty-rewrite.xml 
    • for Linux e.g. from /opt/sos-berlin.com/joc/jetty/etc
    • for Windows e.g. from C:\Program Files\sos-berlin.com\joc\jetty\etc 
  • Add to this file the lines:
    • Changes to jetty-rewrite.xml Expand source

      	<!-- see rewrite-compactpath.xml for example how to add a rule -->
      
              <!-- Add security related headers for use with JOC Cockpit -->
              <Call name="addRule">
                  <Arg>
                      <New id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
                          <Set name="pattern">*</Set>
                          <Set name="name">X-XSS-Protection</Set>
                          <Set name="value">1; mode=block</Set>
                      </New>
                  </Arg>
              </Call>
              <Call name="addRule">
                  <Arg>
                      <New id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
                          <Set name="pattern">*</Set>
                          <Set name="name">X-Content-Type-Options</Set>
                          <Set name="value">nosniff</Set>
                      </New>
                  </Arg>
              </Call>
              <Call name="addRule">
                  <Arg>
                      <New id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
                          <Set name="pattern">*</Set>
                          <Set name="name">Content-Security-Policy</Set>
                          <Set name="value">script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self'</Set>
                      </New>
                  </Arg>
              </Call>
              <Call name="addRule">
                  <Arg>
                      <New id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
                          <Set name="pattern">*</Set>
                          <Set name="name">X-Frame-Options</Set>
                          <Set name="value">sameorigin</Set>
                      </New>
                  </Arg>
              </Call>
              <Call name="addRule">
                  <Arg>
                      <New id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
                          <Set name="pattern">*</Set>
                          <Set name="name">Strict-Transport-Security</Set>
                          <Set name="value">max-age=31536000;includeSubDomains</Set>
                      </New>
                  </Arg>
              </Call>
              <Call name="addRule">
                  <Arg>
                      <New id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
                          <Set name="pattern">*</Set>
                          <Set name="name">Permissions-Policy</Set>
                          <Set name="value">accelerometer=(none), ambient-light-sensor=(none), animations=(none), autoplay=(none), camera=(none), cookie=(none), document-stream-insertion=(none), domain=(none), encrypted-media=(none), fullscreen=(none), geolocation=(none), gyroscope=(none); image-compression=(none), legacy-image-formats=(none), magnetometer=(none), max-downscaling-image=(none), microphone=(none), midi=(none), payment=(none), picture-in-picture=(none), speaker=(none), sync-script=(none), sync-xhr=(none), unsized-media=(none), usb=(none), vertical-scroll=(none), vr=(none)</Set>
                      </New>
                  </Arg>
              </Call>
              <Call name="addRule">
                  <Arg>
                      <New id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
                          <Set name="pattern">*</Set>
                          <Set name="name">Referrer-Policy</Set>
                          <Set name="value">strict-origin-when-cross-origin</Set>
                      </New>
                  </Arg>
              </Call>

    • In the jetty-rewrite.xml file insert the above XML elements within the element hierarchy like this:
      • <Call name="insertHandler">
        • <Arg>
          • <New class="org.eclipse.jetty.rewrite.handler.RewriteHandler">
            
            • <Call name="addRule">
              • ...
            • </Call>
• Restart JOC Cockpit.