Server Configuration

Session Duration

server: sessionTimeout: 5400

SSL

Typical Setups use a separate reverse proxy as SSL Endpoint instead of the integrated SSL functionality. See Deployment overview.

Generate a key:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365

openssl pkcs12 -export -in cert.pem -inkey key.pem -out keystore.p12 -name jetty -caname root

 Make sure the keyAlias matches exactly - it is case sensitive.

To check the keystore, you may run

keytool(.exe) -list -v -keystore path\to\conf\keystore.p12

server:
    port: 8443
    ssl:
        keyStore: /certificates/keystore.p12
        keyStorePassword: secret
		keyAlias: jetty

Restricting Host Headers

It is possible to configure exactly which host headers the HTTP requests are allowed to have. If we don't configure this, the servers accepts all hosts.

The server checks the values of 'X-Forwarded-Host' and 'Host' header, where the header 'X-Forwarded-Host' takes priority. If no configured headers match the HTTP header value the servers responds with HTTP status 400. This also happens if the HTTP headers are missing.

To configure simply add the property 'hostHeaderAllowlist' to the config.yml, followed by a comma separated list of accepted domains.

hostHeaderAllowlist: mydomain1.com:8080, mydomain3.net

 The domains must be configured to the value that is sent to the server, which may differ from the URL in the browser.

CSRF Prevention

By default, the server is configured so that CSRF attacks are prevented by requiring a unique token to be send for form requests. The REST API requires the content type to be application/json. If needed, both security mechanism can be disabled via the config.yml using the following configuration.

disableCheckCSRF:
    contentTypeCheck: true
    tokenCheck: true

Unblocking Users and Password Reset

In case you need to reset a password for a user on startup, add the following to config.yml. The new_password must comply with the configured password rules. The respective user will also be unblocked and enabled.

unblock:
    password: new_password
    username: existing_user

Cross-Origin Resource Sharing (CORS) Allowlist

This adds a allowlist for the 'Origin' HTTP header in requests where the HTTP request's 'URL' and 'Origin' do not match.

This protects against CSWSH ( https://christian-schneider.net/CrossSiteWebSocketHijacking.html) attack and it should be set.

grails:
    cors:
       allowedOrigins:
       - http://www.allowedorigin1.com
       - http://www.allowedorigin2.com