One of the ways data is secured in GroupWise Web is via the implementation of security headers in GroupWise Web messages. The latest standards for security headers prevents malicious attacks when end users interact with items in GroupWise Web. A list of these security headers and descriptions of what they do are provided in these sections:
Converts all HTTP protocol traffic to HTTPS to prevent man-in-the-middle attacks.
Prevents cross-site scripting or data-injecting attacks by only allowing specific types of content. The default setting is “ON”. Although not recommended for use, this header does have an override option you can implement with a Docker command. An example of the command is shown below:
docker run -d --rm -v /opt/novell/gw:/etc/nginx/gw --name webacc-ng -e FQDN=webacc.acme.com -e DNS_SERVER=192.168.1.5 -e CSP=off -p 80:80 -p 443:443 -v /opt/novell/gw/certs:/certs mfgroupwise/webacc-ng:latest
Sets the HttpOnly browser cookie to prevent client-side scripts from accessing the specialized cookie data by anything other than the hosting server.
With the value for this header set to DENY, this header prevents browsers from presenting content in that have <iframe> elements.
With the value for this header set to SAMEORIGIN, this header prevents browsers from presenting content where the parent and child pages have different origins to circumvent click-jack attacks.
With the value for this header set to NOSNIFF, this header prevents browsers from sniffing content and then making them executable files.
Applied when links are clicked in items to limit how much origin server data is sent to destination servers that are not the same as the origin server. Also blocks transfer of data to insecure sites that use HTTP versus HTTPS.
Used for legacy-type browsers to block execution of cross-type scripts.