There have been a few recurring requests from various clients to make Hyperion Workspace URL, SmartView URL available on TLS 1.2 and then pass all the penetration tests conducted by various software. We setup OHS 11.1.1.9 (instead of the default OHS 11.1.1.7) to support TLS 1.1 onwards. On conducting penetration tests most of the tools pointed out similar defects. Here are a few fixes to it.
1. Limit the information the web server present, make the following changes in httpd.conf
Note this entry does not work unless you specify as below:
Header always unset "X-Powered-By"
Header unset "X-Powered-By"
This hides the CGI related headers, refer image below
2. To ensure that all cookies coming from OHS are secure, the following can be configured in the httpd.conf file
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;secure
Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Ref screenshot below:
3. Remove any .exe from the Workspace
We just renamed the wspace folder.
E:\Oracle\Middleware\EPMSystem11R1\common\epmstatic\wspace folder was renamed. This will prevent end users from downloading any .exe like SmartView. I understand it defeats the purpose but in a controlled environment, most end users do not have Admin access to install it up anyway. They require Administrator to individually install it.
4. Similarly, you can hide other contents as below
Header unset X-Content-Type-Options
5. Remove Server version
The usual header setting as below does not work for this
Header unset Server
Header always unset Server
So had to switch off the ServerTokens instead of keeping it on PROD which is expected to give out minimal information
#ServerTokens Prod
ServerTokens None
This did the trick.
These above settings enable to secure HTTP server further. I am still working on fixing allowing dangerous HTTP methods like OPTIONS, TRACE, DELETE etc. I have sent the link for the penetration test if it succeeds I will post it on the following blog.