Reputation: 154
Web application response header duplication
I am working on the security enhancements of my application based on a security scan report. My application is a java EE web application running in wildfly. And it is exposed to the users through a reverse proxy server which is Apache.
I did the following changes in the standalone.xml file in Wildfly to enable strict transport security and httponly attributes.
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<http-invoker security-realm="ApplicationRealm"/>
<filter-ref name="x-frame-options"/>
<filter-ref name="x-xss-protection"/>
<filter-ref name="x-content-type-options"/>
<filter-ref name="transport-security"/>
</host>
</server>
<servlet-container name="default">
<jsp-config x-powered-by="false"/>
<session-cookie http-only="true" secure="true"/>
<websockets/>
</servlet-container>
However, when I go to the application page and check the response in the network tab, I see duplicate attributes.
Request Method: GET
Status Code: 200 OK
Referrer Policy: strict-origin-when-cross-origin
Connection: Keep-Alive
Content-Length: 4222
Content-Type: text/html;charset=ISO-8859-1
Date: Fri, 08 Jan 2021 02:36:52 GMT
Keep-Alive: timeout=5, max=99
Server: Apache
SET-COOKIE: JSESSIONID=BOH0IrY-e2q24ks1bbMy9bBzqeDZshm1n1O02G_f; Path=/MyApplication; HttpOnly
SET-COOKIE: JSESSIONID=BOH0IrY-e2q24ks1bbMy9bBzqeDZshm1n1O02G_f.application_uat; path=/MyApplication; secure; HttpOnly
Strict-Transport-Security: max-age=63072000; includeSubDomains
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; mode=block
Also, in one, JSESSIONID is secure and in the other one its not secure. I am not handling the configuration of Apache server. Could it be because of some configuration of the Apache server ? I am quite new to this so appreciate some help to figure this out.
Thank you.
Upvotes: 0
Views: 620
Answers (1)
Reputation: 964
If you have access to the application's source code, check to see if it has a custom cookie handler developed in-house.
Could be something as stupid as a piece of code that appends some text instead of overwriting it somewhere.
evidence suggests this:
SET-COOKIE: JSESSIONID=BOH0IrY-e2q24ks1bbMy9bBzqeDZshm1n1O02G_f; Path=/MyApplication; HttpOnly
SET-COOKIE: JSESSIONID=BOH0IrY-e2q24ks1bbMy9bBzqeDZshm1n1O02G_f.application_uat; path=/MyApplication; secure; HttpOnl
Effectively identical lines, with extra information added somewhere. suggests a handler that changes something along the way.
same goes for
Strict-Transport-Security: max-age=63072000; includeSubDomains
Strict-Transport-Security: max-age=31536000; includeSubDomains
which is kind of weird.
at any rate... it looks like something's dealing with 2 requests and modifying the same throughput... badly.
Upvotes: 0
Related Questions
- Catching duplicate request headers with HttpServletRequest
- Lost HTTP custom Header in Redirect response with java servlet
- how to read a single header for @RequestHeader annotation even if the user gives the duplicate headers
- Is it fine to use duplicate response header with same value?
- How to fix HTTP response header injection/HTTP Response Splitting
- Apache Camel copies all the request headers to response
- Multiple Response Headers with the same name in Java
- How to add a response header before forwarding to another resource
- What is alternate of php header in jsp and servlet applicaiton to stop duplicacy
- One socket, multiple http request, different Host header but server returns cached Host header