Inherited Jarvis Security
Inherited Jarvis Security
N2FE uses the Jarvis RESTful web service framework as a basis for its backend web services. By using Jarvis, N2FE inherits a number of security mechanisms, including CSRF and XSRF protection.
CSRF and XSRF Protection
CSRF protection in N2FE is enabled by default. In the N2FE configuration file, the application configuration is set up by default as follows:
<app
<!-- other options -->
log_format = "[%H][%P/%A/%U/%D][%R] %M"
error_response_format = "[%T] Please contact your technical support line for this error and quote error code: %R"
csrf_protection = "yes"
cross_origin_protection = "yes"
xsrf_protection = "yes"
>
Cross origin protection, which ensures that each request to the API is from an appropriate referrer origin, is also enabled by default.
You may disable any of this protection by setting the appropriate configuration attribute to no
.
Cookie Protection
N2FE session cookies are protected using HTTP
<sessiondb store="driver:file;serializer:default;id:md5" expiry="+1800s" cookie="id">
<parameter name="Directory" value="/tmp"/>
<parameter name="Path" value="/jarvis-agent/n2fe/"/>
<parameter name="Domain" value="n2fe.nsquared.co.nz"/>
<parameter name="Secure" value="yes"/>
</sessiondb>
Configuration options Path
, Domain
and Secure
are disabled by default, however to increase
cookie security, these should be set appropriately for the environment into which N2FE is installed
and is to be used.
Path
is the HTTP path to the Jarvis web service. This will almost always be/jarvis-agent/n2fe/
.Domain
must be the HTTP domain under which N2FE will be accessed. If multiple domains are to be used, then this option may need to be left blank.Secure
should be set toyes
if all access is to be via HTTPS.
Note that the HttpOnly
and SameSite
flags are set on session cookies by defualt. However note
that the SameSite
flag is set only when the module libcgi-pm-perl
version 4.29 or later is
installed.
Limiting Data Uploads
N2FE does not require file uploads or large scale POST requests. To limit clients from attempting
to upload to much data, edit /etc/jarvis/cgi_params.pm
and:
- Uncomment the configuration line
$CGI::DISABLE_UPLOADS
to disable all file uploads. - Uncomment the configuration line
$CGI::POST_MAX
to limit uploads of data to less than 10Mb.