Inherited Jarvis Security

Inherited Jarvis Security

N2FE uses the Jarvis RESTful web service framework as a basis for its backend web services. By using Jarvis, N2FE inherits a number of security mechanisms, including CSRF and XSRF protection.

CSRF and XSRF Protection

CSRF protection in N2FE is enabled by default. In the N2FE configuration file, the application configuration is set up by default as follows:

<app
    <!-- other options -->
    log_format              = "[%H][%P/%A/%U/%D][%R] %M"
    error_response_format   = "[%T] Please contact your technical support line for this error and quote error code: %R"
    csrf_protection         = "yes"
    cross_origin_protection = "yes"
    xsrf_protection         = "yes"
    >

Cross origin protection, which ensures that each request to the API is from an appropriate referrer origin, is also enabled by default.

You may disable any of this protection by setting the appropriate configuration attribute to no.

N2FE session cookies are protected using HTTP

<sessiondb store="driver:file;serializer:default;id:md5" expiry="+1800s" cookie="id">
    <parameter name="Directory" value="/tmp"/>
    <parameter name="Path" value="/jarvis-agent/n2fe/"/>
    <parameter name="Domain" value="n2fe.nsquared.co.nz"/>
    <parameter name="Secure" value="yes"/>
</sessiondb>

Configuration options Path, Domain and Secure are disabled by default, however to increase cookie security, these should be set appropriately for the environment into which N2FE is installed and is to be used.

Note that the HttpOnly and SameSite flags are set on session cookies by defualt. However note that the SameSite flag is set only when the module libcgi-pm-perl version 4.29 or later is installed.

Limiting Data Uploads

N2FE does not require file uploads or large scale POST requests. To limit clients from attempting to upload to much data, edit /etc/jarvis/cgi_params.pm and: