Security feature checklist
Use the following checklist to document the security features which have been activated for your configuration.
- All application resources (hosts, URLs) are integrated into nevisProxy and no longer directly accessible from the internet.
- HTTPS is used to encrypt the traffic between the client and the proxy server. Only secure cipher suites are allowed to be used.
- Key management processes have been defined.
- Connection and keep-alive timeouts have been defined.
- TCP DoS prevention has been enabled.
- Log level is set to notice and OP tracing has been enabled.
Level 1, TCP, TLS and DoS protection
- Protocol validation and restriction filters have been activated for the HTTP request line (methods, length).
- Protocol validation and restriction filters have been activated for the HTTP request headers (validation patterns, size restriction, names).
- Protocol validation and restriction filters have been activated for the HTTP request body (size).
- Filters for the HTTP response headers have been defined (names).
- Error filter has been activated.
- Cookie manager/filter has been configured and activated.
- Cache filter has only been activated for public content (anonymous access).
- Numbers of concurrent requests per application have been limited.
- Brute force detection, limiting the number of rule violations per client IP, has been activated
Level 2, HTTP protocol validation and acceleration
- Only known URIs have been configured to be accessible by the client (no access to the "/" path).
- User authentication has been enabled for all applications requiring authentication.
- Session timeouts and store size have been defined.
- Uses secure client session identification.
- Session DoS prevention has been enabled.
- Proxy uses secure cookie and sets the httponly flag.
- Brute force detection, limiting the number of failed login attempts, has been activated.
- Navajo cookie is locked to additional client attributes.
Level 3, Session management and user authentication
- Input validation blacklists has been activated (XSS, SQL, other).
- Input validation whitelists has been defined for request lines.
- Input validation whitelists has been defined for request lines and body.
- XML and SOAP validation is used for Web service calls.
- XML or JSON validation URL and HTTP method white-listing is used for RESTful services.
- URL encryption/signing filter has been activated.
- Form signing has been activated.
- CSRF protection has been enabled (session id injection, referrer header check, milestones, POST/GET filter).
- HTTP security headers are configured.
- Default installation and miscellaneous elements
Level 4, application-specific content filtering
- Make sure the TestServlet is not configured in production.
- Make sure the DefaultServlet does not point to the default index.html but to your entry point URL.
- Replace default error pages with your own error pages.