Basic protection
We recommend configuring the following basic protection mechanism for every web application:
- HTTP protocol validation and error handling:nevisAdmin provides pre-configured HTTP protection as well as an error handling filter that should be assigned to the application's mappings. Note: The order of the filters is relevant; the error handling filter should normally be placed at the top of the mapping's resource list.
:::info Sometimes it might be necessary to adapt the settings of one of these default filters to meet some application specifics. We recommend duplicating these objects before modification and to use the copied version for your application. :::
- Secure the application's session cookie:Each mapping allows the management of cookies sent by the application provider. When cookies are stored within the nevisProxy, they are not forwarded to the browser, but merged with each incoming request before propagation to a content provider instead. We suggest storing the cookies within the cookie manager rather than letting them be passed to the client whenever possible.
- Restrict the allowed URL mappings:Avoid using the root path
/
being mapped to any application back end (or use an URL white list filter if you really have to do so, see the chapter: White list based input validation for URL path). You better configure the required URL patches within your mapping.