Web server security configuration v10

Suggest edits

This page details how to secure the PEM web server.

On Windows, the supported web server is Apache HTTPD. Apache HTTPD is bundled with PEM under the name PEM HTTPD. The Apache HTTPD configuration file is pem.conf and the SSL configuration file is httpd-ssl-pem.conf. Both configuration files are in the <Apache_Installation_Path>/conf/addons directory.

On Linux, both NGINX and Apache HTTPD are supported. The NGINX configuration file is /etc/nginx/conf.d/edb-pem.conf on RHEL-like systems and /etc/nginx/sites-available/edb-pem.conf on Debian-like systems. the Apache HTTPD configuration file is edb-pem.conf and the SSL configuration file is edb-ssl-pem.conf. Both configurations files are in the <Apache_Installation_Path>/conf.d directory.

Recommendations applied by default

These recommendations are applied by default in new installations of PEM. If you have customized your web server configuration, or carried it over from a much older version of PEM, you can use this information to verify that your configuration meets current standards.

Disable insecure SSL and TLS protocols

In new installations of PEM, SSL versions SSLv2, SSLv3, TLS 1, and TLS 1.1 are disabled by default. These versions are the most vulnerable and have cryptographic concerns.

For NGINX, PEM adds the following line to the configuration file:

ssl_protocols TLSv1.2 TLSv1.3;

For Apache HTTPD, PEM adds the following lines to the SSL configuration file:

SSLProtocol -All TLSv1.2
SSLProxyProtocol -All TLSv1.2

You can verify that TLS 1.1 is disabled using the following command, replacing the URL with that of your web server. A return value of 35 means TLS 1.1 is disabled whereas 0 means it is enabled.

curl -k -v -s --tls-max 1.1 https://pem-server:8443 >/dev/null 2>&1; echo $?

Disable web server information exposure

In new installations of PEM, the web server is configured to minimize the information about the server exposed to clients by disabling server tokens (which expose information about the server in response headers) and server signatures (which expose information in the footers server-generated pages such as error messages).

For NGINX, PEM adds the following line to the configuration file:

server_tokens off;

For Apache HTTPD, PEM adds the following lines to the SSL configuration file:

ServerTokens Prod
ServerSignature Off

Disable directory listing

The directory listing allows an attacker to view the complete contents of directories from which content is served. This listing might lead to the attacker reverse engineering an application to obtain the source code, analyze it for possible security flaws, and discover more information about an application.

To avoid this risk, PEM disables directory listing

For NGINX, PEM sets autoindex: off.

For Apache HTTPD, PEM sets setting the Options -Indexes directive:

<Directory /application/directory> Options -Indexes </Directory>

Cross-site tracing

The TRACE and TRACK HTTP methods are used for debugging servers. When an HTTP TRACE request is sent to a supported web server, the server responds and echoes the data passed to it, including any HTTP headers. We recommend that you disable these methods in the Apache configuration.

In NGINX, TRACK and TRACE methods are disabled by default. In Apache HTTPD, PEM includes the following lines in the configuration file to reject these methods. Note that some scanners do not understand this syntax, so may incorrectly report that these methods are allowed.

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)
RewriteRule .\* - [F]

You can verify that TRACK and TRACE are disabled with the following commands replacing the URL with that of your web server. A return value of 35 means TLS 1.1 is disabled whereas 0 means it is enabled. If the methods are disabled, the command will return an HTML response including the text 405 Method Not Allowed or similar.

curl -kL -X TRACK https://pem-server:8443/pem
curl -kL -X TRACE https://pem-server:8443/pem

Optimize HTTP headers for security

PEM sets various HTTP header options to improve security. These settings are defined in the config.py and and config_distro.py files. This file is located at /usr/edb/pem/web on Linux and at C:\ProgramFiles\edb\pem\server\share\web on Windows.

If you wish to alter any of these settings, you should not edit these files, but instead create (or edit if it already exists) a file named config_local.py in the same location and add your desired settings. These settings will override those in the config.py and and config_distro.py files and will not be overwritten during a PEM upgrade.

For detailed information on the config.py file, see Managing configuration settings.

X-Frame-Options

X-Frame-Options indicate whether a browser is allowed to render a page in an <iframe> tag. It specifically protects against clickjacking. PEM has a host validation X_FRAME_OPTIONS option to prevent these attacks, which you can configure in the config_local.py file. The default is:

X_FRAME_OPTIONS = "SAMEORIGIN"

Content-Security-Policy

Content-Security-Policy is part of the HTML5 standard. It provides a broader range of protection than the X-Frame-Options header, which it replaces. It is designed so that website authors can whitelist domains. The authors can load resources (like scripts, stylesheets, and fonts) from the whitelisted domains and also from domains that can embed a page.

PEM has a host validation CONTENT_SECURITY_POLICY option to prevent attacks, which you can configure in the config_local.py file. The default is:

CONTENT_SECURITY_POLICY = "default-src https: data: blob: 'unsafe-inline' ‘'unsafe-eval';"

Strict-Transport-Security

The Strict-Transport-Security (HSTS) response header can prevent a man-in-the-middle attack. When you enable the option, websites or web applications tell browsers that they accept only HTTPS and not HTTP. The default is:

STRICT_TRANSPORT_SECURITY = "max-age=31536000;includeSubDomains"
Note

Adding this parameter can cause problems if config is changed. Therefore, we recommend that you add it only after PEM installation is complete and tested.

X-Content-Type-Options

The X-Content-Type-Options response HTTP header is a marker. The server uses the marker to indicate that the MIME types advertised in Content-Type headers can't be changed and followed. The following is a way to opt out of MIME type sniffing, that is, to say that the MIME types are deliberately configured. The default is:

X_CONTENT_TYPE_OPTIONS = "nosniff"

X-XSS-Protection

Cross-site scripting (XSS) is one of the most common application layer vulnerabilities in the web servers. XSS enables attackers to inject client-side scripts into web pages that other users view. The HTTP X-XSS-Protection response to the header is a feature of Internet Explorer, Chrome, and Safari. It stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. These protections are unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript ('unsafe-inline'). However, these protections can still provide protections for users of older web browsers that don't yet support CSP. The default is:

X_XSS_PROTECTION = "1; mode=block"

Cookies are small packets of data that a server sends to your browser to store configuration data. The browser sends them and all other requests to the same server, so it’s important to know how to secure cookies. Multiple configuration options in config.py can make cookies secure. These are the three most important options:

  • SESSION_COOKIE_SECURE The flag prevents cookies from sending over an unencrypted connection. The browser can't add the cookie to any request to a server without an encrypted channel. The browser can add cookies only to connections such as HTTPS. The default is:

    SESSION_COOKIE_SECURE = True

  • SESSION_COOKIE_HTTPONLY By default, JavaScript can read the content of cookies. The HTTPOnly flag prevents scripts from reading the cookie. Instead, the browser uses the cookie only with HTTP or HTTPS requests. Hackers can't exploit XSS vulnerabilities to learn the contents of the cookie. For example, the sessionId cookie never requires that it be read with a client-side script. So, you can set the HTTPOnly flag for sessionId cookies. The default is:

    SESSION_COOKIE_HTTPONLY = True

  • ENHANCED_COOKIE_PROTECTION When you set this option to True, then a token is generated according to the IP address and user agent. In all subsequent requests, the token recalculates and compares to the one computed for the first request. If the session cookie is stolen and the attacker uses it from another location, the generated token is different. In that case, the extension clears the session and blocks the request. The default is:

    ENHANCED_COOKIE_PROTECTION = True

    !!! Note This option can cause problems when the server deploys in dynamic IP address hosting environments, such as Kubernetes or behind load balancers. In such cases, set this option to False.

    To apply the changes, restart the web server.

    For detailed information on config.py file, see Managing Configuration Settings.

Additional recommendations that can be applied manually

These recommendations are not applied automatically because they require additional information or action specific to the environment in which PEM is deployed.

Secure HTTPD with SSL certificates

During PEM configuration, a self-signed certificate is generated to secure traffic between the web server and clients. To enhance security and to prevent browser warnings that the site is not secure, we recommend that you replace this certificate with one signed by a trusted certificate authority.

Run the web server from a non-privileged user account

On Linux, PEM utilizes web server packages provided by the OS. Typically, these create a service unit which runs the web server as the root user.

Running the web server as a root user can create a security issue. We recommend that you run the web server as a unique non-privileged user. Doing so helps to secure any other services running during a security breach.

Variations in WSGI service by platform

PEM runs as a WSGI application. On Linux, when the web server is NGINX, the WSGI application is run by a separate service, edb-uwsgi, which runs as the pem user. When the web server is Apache HTTPD, the WSGI application is run by a daemon process which is a child of the Apache HTTPD process. The daemon process is run as the pem user.

On Windows, the WSGIDaemonProcess directive and features aren't available so both the web server and the WSGI app run as the system user (the LocalSystem account).

Restrict the access to a network or IP address

It is good practice to restrict access to the web server to the smallest set of IP addresses compatible with your business needs. This is most commonly done at the network infrastructure level, for example through firewall configuration, but can also be enforced by the web server. The PEM application configuration file (<PEM_INSTALLATION_PATH>/web/config_local.py) supports an ALLOWED_HOSTS configuration parameter for this purpose.

For example:

# You can specify one or more subnets:
ALLOWED_HOSTS = ['225.0.0.0/8', '226.0.0.0/7', '228.0.0.0/6']

# You can specify individual host addresses:
ALLOWED_HOSTS = ['127.0.0.1', '192.168.0.1']

To apply the application configuration file changes, restart the web server.

← Prev

Securing your deployment

↑ Up

Securing your deployment

Next →

PEM application security configurations