反馈已提交
网络繁忙
FineBI version
JAR
new features
5.1
2020-08-04
Added "HSTS Settings" button
Added "Request Response Optimization" button
5.1.15
-
Added "Token Authentication Enhancement" button
For platform security considerations, the "Security" of the management system includes multiple security function switches: Cookie enhancement, HSTS setting, file upload verification, script call formula restriction, Security Headers, request response optimization, and token authentication enhancement. As shown below:
The Cookie Enhancement button is off by default. Detect the current protocol when you click to open:
When it is detected that the current server protocol is HTTPS, cookie enhancement can be turned on normally.
When it is detected that the current server protocol is HTTP, a pop-up window prompts: Detected that the current server protocol is HTTP and failed to be successfully enabled. Please confirm that the server has enabled HTTPS and try again.
As shown below:
HSTS is an Internet security mechanism, the full name is HTTP Strict Transport Security, that is, a secure transport protocol. It tells the browser to only access the current resource via HTTPS, not HTTP.
The HSTS Settings button is off by default. This button can be enabled only after the server has enabled HTTPS. After it is enabled, HTTP access will be prohibited. Browsers below IE11 do not currently support this setting.
If the current server protocol is HTTP, after this button is turned on, it will prompt: Detected that the current server protocol is HTTP and failed to be successfully enabled. Please confirm that the server has enabled HTTPS and try again.
Note: Self-signed certificates are not considered for HSTS settings for now.
After the "HSTS Settings" button is turned on, add a "header": Strict-Transport-Security: , the default value is max-age=31536000; includeSubdomains
Super administrators can modify the value of "header" through "fine_conf_entity Visual Configuration Plugin".
Note: For the method of modifying the field value of the FineDB database table, please refer to the modification of common table fields in FineDB .
configuration item
configuration value
Configuration example
meaning
WebSecurityConfig.hstsHeader
max-age=<expire-time>
max-age=31536000
It is set that all requests to access this domain name will use HTTPS requests within 31,536,000 seconds after the browser receives this request.
max-age=<expire-time>; includeSubDomains
max-age=31536000; includeSubdomains
This rule also applies to all subdomains of the site
max-age=<expire-time>; preload
max-age=31536000; preload
Preload HSTS
The "File Upload Verification" button is enabled by default. After it is enabled, the suffix and size of the uploaded file in the filling and platform appearance configuration are verified.
Analyzing conditions
specific settings
Determine the uploaded file size
In Data Decision System > Appearance Configuration, it is forbidden to upload pictures over 20M to prevent the program from hanging.
When uploading a picture that exceeds the size limit, a prompt box will pop up: For better display effect, please select a picture with a size of no less than 1024*768 and a size of no more than 20M. PNG and JPG formats are supported.
The file control can set the size limit of the file by itself, if the limit is exceeded, it cannot be uploaded.
When uploading a file that exceeds the limit, a prompt box will pop up: The file is too large, the upper limit is xxx KB
Determine the uploaded file type
The default supported file types for upload include:
jpg , jpeg , gif , bmp , png , pdf , doc , docx , ppt , pptx , xls , xlsx , zip
Determine the binary header of the uploaded file
By verifying the binary header of the file, it is forbidden to upload files whose suffixes do not match the actual ones
For example, change a.txt to a.jpg and upload it
After the file upload verification is enabled, the file types in the allowed upload whitelist include: jpg , jpeg , gif , bmp , png , pdf , doc , docx , ppt , pptx , xls , xlsx , zip .
The super administrator can modify the file upload verification type through the "fine_conf_entity Visual Configuration Plug-in".
value
rule
WebSecurityConfig.fileInspectorType
0
The suffix is not released in the whitelist, otherwise the check header will be released only if the check header matches.
1
The default value, only those suffixes in the whitelist and the headers match will be released
2
The suffix is not allowed in the blacklist
FR.remoteEvaluate and FR.remoteEvaluateAsync in JS have high frequency, but these two interfaces also have huge security risks, which may cause attackers to implement operations such as adding, deleting, modifying and checking the database. The risk level is equivalent to Remote execution. Therefore, both FineReport9.0 and FineReport10.0 have added the function of "script calling formula restriction".
When the user uses the two interfaces FR.remoteEvaluate and FR.remoteEvaluateAsync , if the user enables the script call formula limit switch, a prompt box message will pop up when the effect is previewed: This call is a security risk, if you need to use it, please modify it in the security management Script call formula limit .
Note: If the user does not have a corresponding usage scenario, it is recommended not to close this function casually, as there will be the risk of the above-mentioned vulnerabilities.
The administrator logs in to the data decision system and clicks "Manage > Security > Security" to enable "Script Call Formula Restriction", as shown in the following figure:
Security header series settings. When enabled, the HTTP Security Headers attribute will be added to the request header to prevent vulnerability attacks.
Click Advanced Settings to expand the advanced protection sub-function switches, a total of five switches, as shown in the following figure:
Note: When the Security Headers function is turned on, all sub-functions are turned on by default. When the Security Headers function is turned off, they are all turned off by default, and advanced protection functions are not allowed to be turned on.
The specific settings enabled by default are as follows:
res.addHeader("X-Content-Type-Options", "nosniff"); res.addHeader("X-XSS-Protection", "1; mode=block"); res.addHeader("X-Frame-Options ", "SAMEORIGIN"); res.addHeader("Content-Security-Policy", "object-src 'self'"); res.addHeader("Cache-Control", "no-cache"); res.addHeader( "Pragma", "no-cache"); res.addDateHeader("Expires", 0)
1) Function introduction
The CSP content security policy is similar to the whitelist. By configuring the whitelist in the CSP, it tells the browser or client which things are authorized to execute and which things are forbidden.
The implementation method is that the website sends a CSP header to the browser to tell the browser the above information, so that even if the attacker discovers the vulnerability of the website, there is no way to write the attack script, because the attack script is not in the whitelist.
The HTTP response header Content-Security-Policy allows site administrators to control which resources a user agent can load for a given page. With a few exceptions, the set policy primarily involves specifying the server's origin and script endpoints. This will help prevent cross-site scripting attacks.
2) Setting method
When enabled, the request header adds the Content-Security-Policy:object-src 'self' setting by default.
Super administrators can modify the policy through the "fine_conf_entity visual configuration plugin".
grammar
WebSecurityConfig.contentSecurityPolicyHeader
object-src
object-src 'self'
Content-Security-Policy: <policy-directive>; <policy-directive> Note: multiple are separated by ; semicolons 1) none means no matching is performed. 2) self means match the current origin (not its subdomain). 3) unsafe-inline means that inline JavaScript and CSS are allowed. 4) unsafe-eval means allowing the use of eval-like text-to-JavaScript mechanisms
Restrict the source address of <object>, <embed>, <applet> tags
and only allow matching against the current origin (not its subdomains)
object-src uri
Restrict the source address of <object>, <embed>, <applet> tags and only https://example.com/ is allowed to load the addresses in the above tags
default-src
default-src https:
Disable insecure inline/dynamic execution, only allow these resources (images, fonts, scripts, etc.) to be loaded via https
XSS is a general term for a class of attack programs, and is a general term for attack programs written by attackers to discover website vulnerabilities. These programs are usually JS, but can also be Java, flash, html, etc. A successful attack can achieve: higher privileges, private sessions, cookies, etc.
The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops the browser from loading a page when a cross-site scripting attack (XSS (en-US)) is detected.
After it is enabled, the request header will add X-XSS-Protection:1; mode=block setting by default.
WebSecurityConfig.xssProtectionHeader
X-XSS-Protection: 0
Disable XSS filtering
X-XSS-Protection: 1
Enable XSS filtering If a cross-site scripting attack is detected, the browser will clear the page, removing unsafe parts
1; mode=block
X-XSS-Protection: 1; mode=block
Enable XSS filtering If an attack is detected, the browser will not clear the page, but will prevent the page from loading
1; report=<reporting-uri>
Example: 1; report=xss.php
X-XSS-Protection: 1; report=xss.php
Enable XSS filtering
If a cross-site scripting attack is detected, the browser will clear the page and send a violation report using the functionality of the CSP xss.php
Clickjacking is a visual deception.
The attacker uses a transparent iframe, overlays a web page, and then tricks the user into taking action on the page, at which point the user will unknowingly click on the transparent iframe page.
The attacker uses an image to overlay the web page to obscure the meaning of the original location of the web page.
The X-Frame-Options HTTP response header is a markup used to indicate to the browser whether a page is allowed to be rendered in a <frame>, <iframe>, <embed> or <object>. Sites can avoid clickjacking attacks by ensuring that the site is not embedded in someone else's site.
Note: If the report is embedded in a cross-domain iframe and cannot be accessed, please turn off the "Click hijacking attack protection" button in the advanced settings of Security Headers.
X-Frame-Options:SAMEORIGIN setting is added to the request header by default .
WebSecurityConfig.frameOptionsHeader
deny
X-Frame-Options: deny
The browser will refuse the current page to load any frame page
sameorigin
X-Frame-Options: sameorigin
Indicates that the page can be displayed in the frame of the same domain page
allow-from-uri
Example: allow-from https://example.com/
X-Frame-Options: allow-from https://example.com/
Indicates that the page can be displayed in the frame of the specified origin (https://example.com/)
MIME is a standard, multipurpose Internet mail extension. It indicates the nature and format of a document, file or various bytes.
The X-Content-Type-Options HTTP message header is equivalent to a prompt flag, which is used by the server to prompt the client to follow the MIME type setting in the Content-Type header without modifying it. This disables the client's MIME type sniffing behavior.
Note: If a cross-domain problem is reported during single sign-on, please turn off the "Content Sniffing Attack Protection" button in the advanced settings of Security Headers.
X-Content-Type-Options:nosniff setting is added to the request header by default .
WebSecurityConfig.contentTypeOptionsHeader
nosniff
X-Content-Type-Options: nosniff
The following two requests will be blocked: 1) The request type is "style" but the MIME type is not "text/css" 2) The request type is "script" but the MIME type is not the JavaScript MIME type
Browser cache disable contains three IDs
The Cache-Control general header field is used to implement caching mechanisms by specifying directives in http requests and responses. Caching directives are one-way, which means that directives set in the request are not necessarily included in the response.
The Expires response header contains the date/time after which the response expires. Invalid dates, such as 0, represent dates in the past, that is, the resource has expired. The Expires header will be ignored if the "max-age" or "s-max-age" directive is set in the Cache-Control response header.
Pragma is a generic header specified in HTTP/1.0. The effect of this header depends on different implementations, so it may have different effects in the "request-response" chain. It is used for backward compatibility with cache servers that only support HTTP/1.0 protocol, when Cache-Control in HTTP/1.1 protocol has not come out yet.
After it is enabled, the request header will add Cache-Control:no-cache, Pragma:no-cache&Expires:0 by default .
WebSecurityConfig.cacheControlHeader
Note: Browser caching disables the value of Header Cache-Control
no-cache
Cache-control: no-cache
Force the cache to submit the request to the origin server for validation before publishing the cached copy (negotiate cache validation)
max-age=<seconds>
max-age=3600
Cache-control: max-age=3600
Set the maximum period of cache storage, beyond which the cache is considered expired (in seconds)
WebSecurityConfig.cacheControlExpiresHeader
Note: Browser cache disables the value of Header Expires
Expires: <http-date>
Represents a date in the past, i.e. the resource has expired
<http-date>
Wed, 21 Oct 2015 07:28:00 GMT
Response expired after Wed, 21 Oct 2015 07:28:00 GMT date
WebSecurityConfig.cacheControlPragmaHeader
Note: Browser cache disables the value of Header Pragma
Pragma: no-cache
Consistent with the Cache-Control: no-cache effect forces the cache server to submit the request to the origin server for validation before returning the cached version
The Request Response Optimization button is off by default.
Displays detailed stack information when the Request Response Optimization button is turned off.
When the request response optimization button is turned on, all stack information is turned into a simple error message prompt: request error, if you want to view the detailed error information, please go to the security management page to set it.
The "Token Authentication Enhancement" button is disabled by default.
The login information in the state server corresponding to the token will store the IP. After enabling the "Token Authentication Enhancement" button, the server adds IP verification:
If the IP is the same, it will be released automatically.
If the IP is different, it will be recognized as a new client, automatically jump to the login page, and need to log in again.
售前咨询电话
400-811-8890转1
在线技术支持
在线QQ:800049425
热线电话:400-811-8890转2
总裁办24H投诉
热线电话:173-1278-1526
文 档反 馈
鼠标选中内容,快速反馈问题
鼠标选中存在疑惑的内容,即可快速反馈问题,我们将会跟进处理。
不再提示
10s后关闭