Successfully!

Error!

You are viewing 10.0 help doc. More details are displayed in the latest help doc

Security Protection Setting

I. Overview

FineReport is focused on making security features to keep business-level applications safe, and improving security level in two aspects, namely, vulnerability fix and active defense strategy.

For platform security reasons, six feature switches have already been pre-configured in the Security module under Manage section, including Cookie Enhancement, HSTS Settings, File Upload Verification, Script call formula restriction, Security Headers, Improved Request Response and Token authentication enhancement.

You will learn

  • Security Management Page

    • Access the Local Decision-making Platform

    • Enter Security Section

  • Security Precautions

    • Cookie Enhancement

    • HSTS Settings

    • File Upload Verification

    • Script Call Formula Restriction

    • Security Headers

    • Improved Request Response

    • Token authentication enhancement

II. User Interface

 1637292404107061.png

Take the local decision-making platform as an example.

1) Open the platform in Help -> Demo

2.png     

2) Go to Manage -> Security

1637292600390864.gif

III. Security Precautions

1637292665306434.png

Note: Cookie Enhancement, HSTS Settings and Improved Request Response are switched off by default, while others are switched on.


1. Cookie Enhancement

Note: https need to be enabled on the server (the Secure attribute in Cookie Enhancement requires https to be enabled, otherwise no Cookies will be sent).

The cookie enhancement feature will check the current protocol when turning on. If the protocol equals to https, this feature can be enabled. If it's http, users will be prompt with a message "Detected that the current server protocol is HTTP and failed to be successfully enabled.  Please confirm the server to open HTTPS and try again", and the feature will not be turned on, as it is shown below:

Cookie Enhancement.png


2. HSTS Settings

This option can be turned on once https is enabled on the server, and then http access will be prohibited. IE10 or lower versions of browsers are not supported.

If the current server protocol is http, users will be prompt with a message "Detected that the current server protocol is HTTP and failed to be successfully enabled. Please confirm the server to open HTTPS and try again" as it is shown  below:

http setting.png

A header (Strict-Transport-Security:) will be added once the HSTS Settings is enabled, with the default value set as max-age=31536000; includeSubdomains

You can add a field with the name "WebSecurityConfig.hstsHeader" into table "fine_conf_entity" to set the value of header.

Note: self-signed certificate is not supported in HSTS Settings yet.


3. File Upload Verification

1) Description

Once enabled, this feature will check the types and sizes of files uploaded via Data Entry and Appearance on the platform.

  • By verifying the binary header of the file, the behavior of uploading files that do not match their types is prohibited, such as changing a.txt into a.jpg and then uploading.

  • Image files larger than 20MB can not be uploaded via Appearance page, with the purpose of preventing the application hang itself up (the size of file uploaded via Data Entry is limited by widgets). Users will be prompt when uploading image files exceeding the maximum limit.

2) Security policy

With File Upload Verification turned on, the default security policy only allows file upload widget to accept whitelist-ed file types, including jpg, jpeg, gif, bmp, png, pdf, doc, docx, ppt, pptx, xls, xlsx and zip.

You can modify the "WebSecurityConfig.fileInspectorType" field of table "fine_conf_entity" in FineDB to make changes to the security policy. By default, WebSecurityConfig.fileInspectorType=1.

Configurations of this field are as below:

KeyValueDescription

WebSecurityConfig.fileInspectorType

0

Allow files with file types excluded in the whitelist, or with matched verification headers

1

Only whitelist-ed file types with matched headers are allowed

2

Allow files with file types not in the blacklist


4. Script Call Formula Restriction

1637292766721712.png

1) Description

FR.remoteEvaluate and FR.remoteEvaluateAsync in JS are frequently-used interfaces used to call SQL queries, though with huge security risks.

SQL executed in these two interfaces are plaintext in the request, as long as this method is used in any template, or someone knows about these interfaces, then attackers can execute JS code on the front end to tamper with the database. This is of equivalent risk level to remote execution. As a result, the Script Call Formula Restriction feature is now added in both FineReport9.0 and FineReport10.0。

When FR.remoteEvaluate and FR.remoteEvaluateAsync are used, and the formula used belongs to Report Functions, users will be prompt "This call has security risks. If you need to use it, please modify the script call formula restrictions in Security Management." when previewing the template with Script Call Formula Restriction enabled.

Note: we suggest to keep this feature enabled unless it is necessary to turn it off. There might exist security vulnerabilities when it's off. Please contact us for scenarios that you find it necessary to disable this feature.

2) Example

Type in "Test" in B4 and add Hyperlink -> JavaScript as it is shown below:

1604024944712741.png

Preview the template by Pagination Preview and click on "Test":

1604024960219582.png

1604024992211503.gif


5. Security Headers

HTTP Security Headers property is added to the request header once this feature is enabled, to prevent attacks on vulnerabilities.

Clicking on Advanced Setting leads to display 5 switches for advanced security features, as it is shown below:

Note: enabling Security Headers will put all 5 features in use by default, and advanced security features can't be turned on if the Security Headers are disabled.

1637292792660475.png

You can find the detailed information about Security Headers in the following table:

Configuration itemsDescription

CSP Content Security Policy

1. Once enabled, Content-Security-Policy:object-src 'self' will be added to the request header

2. If a user would like to customize this feature, he/she can add a new field named WebSecurityConfig.contentSecurityPolicyHeader into the table fine_conf_entity, and set its value

XSS Attack Protection

1. Once enabled, X-XSS-Protection:1; mode=block will be added to the request header

2. If a user would like to customize this feature, he/she can add a new field named WebSecurityConfig.xssProtectionHeader into the table fine_conf_entity, and set its value

Click Attack Protection

1. Once enabled, X-Frame-Options:SAMEORIGIN will be added to the request header

2. If a user would like to customize this feature, he/she can add a new field named WebSecurityConfig.frameOptionsHeader into the table fine_conf_entity, and set its value

Content Sniffing Attack Protection

1. Once enabled, X-Content-Type-Options:nosniff will be added to the request header

2. If a user would like to customize this feature, he/she can add a new field named WebSecurityConfig.contentTypeOptionsHeader into the table fine_conf_entity, and set its value

Browser Cache Disabled

1. Once enabled, Cache-Control:no-cachePragma:no-cache&Expires:0 will be added to the request header

2. If a user would like to customize this feature, he/she can add a new field named WebSecurityConfig.cacheControlHeader, WebSecurityConfig.cacheControlExpiresHeader and WebSecurityConfig.cacheControlPragmaHeader into the table fine_conf_entity, and set its value

Note: the WebSecurityConfig.cacheControlHeader field contains the value of the browser cache disabling Header Cache-Control; the WebSecurityConfig.cacheControlExpiresHeader field contains the value of the browser cache disabling Header Expires; the WebSecurityConfig.cacheControlPragmaHeader field contains the value of the browser cache disabling Header Pragma

 

Note:

  • If the report is embedded via cross-domain iframe and unable to be accessed, please disable the Click Attack Protection feature under Advanced Setting of Security Headers.

  • If SSO reports cross-domain issues, please disable the Content Sniffing Attack Protection feature under Advanced Setting of Security Headers.

Specific settings enabled by default are:

res.addHeader("X-Content-Type-Options", "nosniff");
res.addHeader("X-XSS-Protection", "1; mode=block");
res.addHeader("X-Frame-Options", "SAMEORIGIN");
res.addHeader("Content-Security-Policy", "object-src 'self'");
res.addHeader("Cache-Control", "no-cache");
res.addHeader("Pragma", "no-cache");
res.addDateHeader("Expires", 0);


6. Improved Request Response

1) Detailed stack information will be displayed when the option is disabled.

1604025016579344.png

2) Once enabled, all stack information will be converted to a simple error message "Request error. If you need to view detailed error information, please go to the settings in Security Management."

1604025028556360.png

 

7. Token authentication enhancement

The Token authentication enhancement button is turned off by default.

The login information in the state server corresponding to the token will store the IP. After theToken authentication enhancement button is turned on, the server adds IP verification:

If the IP is the same, it will be released automatically.

If the IP is different, it will be recognized as a new client, and it will automatically jump to the login page, and you need to log in again.

1637292984944934.png

Attachment List


Theme: Decision-making Platform
Already the First
Already the Last
  • Helpful
  • Not helpful
  • Only read

Doc Feedback