98.4 Securing Data in GroupWise Web with Security Headers

One of the ways data is secured in GroupWise Web is via the implementation of security headers in GroupWise Web messages. The latest standards for security headers prevents malicious attacks when end users interact with items in GroupWise Web. A list of these security headers and descriptions of what they do are provided in these sections:

98.4.1 Strict-Transport-Security

Converts all HTTP protocol traffic to HTTPS to prevent man-in-the-middle attacks.

98.4.2 Content-Security-Policy

Prevents cross-site scripting or data-injecting attacks by only allowing specific types of content. The default setting is “ON”. Although not recommended for use, this header does have an override option you can implement with a Docker command. An example of the command is shown below:

docker run -d --rm -v /opt/novell/gw:/etc/nginx/gw --name webacc-ng -e FQDN=webacc.acme.com -e DNS_SERVER= -e CSP=off -p 80:80 -p 443:443 -v /opt/novell/gw/certs:/certs mfgroupwise/webacc-ng:latest

98.4.3 Set-Cookie

Sets the HttpOnly browser cookie to prevent client-side scripts from accessing the specialized cookie data by anything other than the hosting server.

98.4.4 X-Frame-Options (Deny)

With the value for this header set to DENY, this header prevents browsers from presenting content in that have <iframe> elements.

98.4.5 X-Frame-Options (Same Origin)

With the value for this header set to SAMEORIGIN, this header prevents browsers from presenting content where the parent and child pages have different origins to circumvent click-jack attacks.

98.4.6 X-Content-Type-Options

With the value for this header set to NOSNIFF, this header prevents browsers from sniffing content and then making them executable files.

98.4.7 Referrer-Policy

Applied when links are clicked in items to limit how much origin server data is sent to destination servers that are not the same as the origin server. Also blocks transfer of data to insecure sites that use HTTP versus HTTPS.

98.4.8 X-XSS-Protection

Used for legacy-type browsers to block execution of cross-type scripts.