Secure Headers Normalized TLS

classic Classic list List threaded Threaded
5 messages Options
big
Reply | Threaded
Open this post in threaded view
|

Secure Headers Normalized TLS

big
Hi,
On R12.2.4 DB 11.2.4
And R12.2.9 DB 19c

We want to have Secure Headers by setting the following parameters:

Header               Value
X-Frame-Options same-origin
Referrer-Policy       same-origin
Cache-Control       no-store, max-age=0

I found X-Frame-Options in httpd.conf. I did not found the others.

Where are they if available in E-Business? I mean Referrer-Policy and Cache-Control.

For X-Frame-Options any other configuration file to edit? Other than httpd.conf?

Thanks.
Reply | Threaded
Open this post in threaded view
|

Re: Secure Headers Normalized TLS

ErmanArslansOracleBlog
Administrator
Things like Cache-Control is also a client dependent config.. It may be set in the HTTP Server level, but these are not documented.. (at least not documented for Oracle.. I mean those .htaccess related tricks)

--> Header always set Cache-Control "no-cache, public" -- Note that; I didn't try that..  Probably this will not work..

Simillarly, for refferer-policy -> Header always set Referrer-Policy "same-origin"

Other than that, it is the client(The EBS Code that the client uses actually) that sets some meta to tell whether it wants the content to be cached or not.

There may be a config file for configuring the code ( making it set these types of meta according to the way we want), but I have no EBS to check that..
So you may check your EBS by recursively reading the configuration-related directory..(using the keywords Cache-Control and Referrer-Policy)

*These are packaged applications as you know. So you can't just do whatever you want before getting approval from Oracle. So you shouldn't change these types of things (undocumented and crucial) without getting Oracle's approval..

Anyways; create an Oracle SR and check the following in parallel;

Administering Security for Oracle HTTP Server, Configuring HTTP Secure Headers

https://docs.oracle.com/en/middleware/fusion-middleware/web-tier/12.2.1.4/secure-ohs/configuring-http-secure-headers.html
big
Reply | Threaded
Open this post in threaded view
|

Re: Secure Headers Normalized TLS

big
Thanks Erman.
big
Reply | Threaded
Open this post in threaded view
|

Re: Secure Headers Normalized TLS

big
Hi again,

In the note 2040420.1, it talks about it and it is said that it is applied to

Oracle HTTP Server - Version 11.1.1.2.0 and later

How can I know Apache version in 11.5.10.2?

I found and tried

/u1/appl_top/system/systemaora/iAS/bin$ ./httpd -version

But I received :

ksh: ./httpd:  not found.

Thanks and regards.
Reply | Threaded
Open this post in threaded view
|

Re: Secure Headers Normalized TLS

ErmanArslansOracleBlog
Administrator
You are in the wrong directory and the required approach is a little different...

->

Connect applmgr and set env. to RUN FS
$ cd $FMW_HOME
$ . ./SetWebtier.env
$ echo $ORACLE_HOME -> this should now be setup for $FMW_HOME/webtier
$ export LD_LIBRARY_PATH=$ORACLE_HOME/lib:$ORACLE_HOME/ohs/lib:$FMW_HOME/oracle_common/lib
$ cd $ORACLE_HOME/ohs/bin
$ ./httpd -version
Server version: Oracle-HTTP-Server/2.2.22 (Unix)
Server built: Mar 23 2020 08:46:57
Server label: APACHE_11.1.1.9.0_LINUX.X64_RELEASE

Ref: How To Find Oracle HTTP Server Version From The Command Line In EBS 12.2.x (Doc ID 2716783.1)