Skip to main content
English (US) Nederlands

Elvis 5 security updates overview

  • Updated

This article describes the security updates for Elvis 5 as published in other locations of the Help Center such as the Elvis 5 Release Notes. Use it as a quick reference to find out if any of the issues affect your Elvis environment.

Important: The default configuration settings of Elvis 5 Server are aimed to keep the system as secure as possible. Change these settings with care and at your own risk.

Security configuration overview

The following is an overview of the security configuration of Elvis 5 Server.

Cross-origin protection

AJAX calls to Elvis Server are blocked by Web browsers if the Web page that is making the call is not on one of the configured domains. By default, only the server domain is allowed.

Example: If Elvis server is running on http://elvis.yourdomain.com and you want to perform a cross-domain REST search from a Web page hosted on http://www.yourdomain.com, the Web browser will not perform the request.

Note: The same origin policy prevents a document or script loaded from one origin from getting or setting properties of a document from a different origin. (See mozilla.org: Same-origin policy.)

For more information, see Elvis 5 API - cross origin.

Anti-clickjacking headers

Anti-clickjacking headers limit how the Elvis Web client is allowed to be loaded in iframes or other frames.

By default, the Elvis Web client is only allowed to be loaded in a frame originating from the same domain as the server.

It is however also possible to load the Elvis Web client from another domain than the server. For more information, see the changes for Elvis 5.24 below.

HTML previews

Previews of Web pages (files in .html format) that are stored in Elvis are disabled by default. They can be enabled with limited functionality or with full functionality.

For more information, see the changes for Elvis 5.9 and the changes for Elvis 5.13 below.

Log-in blocking

The number of times that a user can attempt to log in is limited.

When incorrect credentials are entered a few times, logging in through the user’s IP address will be blocked for a short period of time.

Various options for this feature can be configured, see the 'log-in throttling' options below.

Security options that may affect your Elvis setup

The following lists some of the security issues that may affect your Elvis 5 environment.

Limited functionality for HTML pages loaded outside the Web client

HTML pages that are stored in Elvis will have limited functionality when they are loaded outside the Web client for use in banners, forms or other objects that depend on JavaScript or external sources. This is because of the Content Security Policy headers which limit what the object is allowed to do. (See HTML previews above.)

Web client prevented from loading in a frame or iframe

If your Elvis installation is used in combination with a solution that loads the Elvis Web client in a frame or iframe, the anti-clickjacking headers will prevent the Web client from being loaded, thereby breaking the integration. (See HTML previews above.)

No preview for Word files and Web pages when Web client is served from a different domain than Elvis Server

If your Elvis Web client is served from a different domain than Elvis Server, the anti-clickjacking headers will prevent previews for Word files (in .doc format) and Web pages (in .html format). (See Anti-clickjacking headers above.)

Additional security settings

Configuring iframe access from domains other than Elvis Server

To make it possible to load the Elvis Web client from another domain than the server, configure the following options in the cluster-config.properties.txt file:

  • X-Frame-Options. The X-Frame-Options HTTP response header can be used to indicate whether or not a Web browser should be allowed to render a page in a <frame>, <iframe> or <object>. Sites can use this to avoid clickjacking attacks by ensuring that their content is not embedded into other sites. It is mainly used for older Web browsers.

security.antiClickjackHeadersXFrameOptions=SAMEORIGIN

Notes:

  • Default value: SAMEORIGIN
  • Only one domain can be specified
  • For this to work, set security.antiClickjackHeaders=true.

Specify a domain as follows: ALLOW FROM http://example.com

For more information, see Mozilla Developers Network - X-Frame-Options.

  • ContentSecurityPolicy. Allows the specified domain to have the server to be shown in an iframe. It is mainly used by modern Web browsers.

security.antiClickjackHeadersContentSecurityPolicy=self

Notes:

  • Default value: self
  • Multiple domains can be specified
  • For this to work, set security.antiClickjackHeaders=true.

Specify a domain as follows: http://example.com http://domain.com

Each domain should be separated with a space.

For more information, see Mozilla Developers Network - Content Security Policy (CSP).

Log-in throttling: Excluding IP-addresses

Info:

When log-in throttling is enabled through the option named 'security.loginThrottle.maxFailedIpAttempts' (see Elvis Server 5.13 changes), any trusted IP addresses that should never be blocked can be white-listed by using the option named 'security.loginThrottle.ipWhiteList'.

Use this for example to exclude the Enterprise Server IP address where many different user requests come from the same source.

security.loginThrottle.ipWhiteList=0:0:0:0:0:0:0:1

Note: Separate users on this IP may still be blocked when the option 'security.loginThrottle.maxFailedUsernameAttempts' is exceeded.

Log-in throttling based on IP addresses

Log-in throttling (temporarily blocking a user log-in after a defined number of failed attempts) now also works purely on IP addresses and not just on combinations of user name and IP address.

Log-in throttling: Defining where to retrieve the address of a request from

Info:

By default, Elvis Server uses the remote address of a request.

When Elvis is running behind a load balancer, the IP address of the remote host of a request may be retrieved from the request headers (Client-IP and X-Forwarded-For) by setting the option named 'security.runningBehindLoadBalancer' to 'true'.

security.runningBehindLoadBalancer=true

Caution: Beware that enabling this option when Elvis is not running behind a load balancer allows an attacker to circumvent the IP-based log-in throttling by "faking" his IP using the header. (See the op tion 'security.loginThrottle.maxFailedIpAttempts' below.)

Log-in throttling: Setting the number of log-in attempts before log-in throttling should take place

Info:

The number of log-in attempts for a combination of IP address and user name that are allowed before log-in throttling takes place can be set through the option named 'security.loginThrottle.maxFailedUsernameAttempts'.

This is separate from IP-based blocks and is generally set lower than the option 'maxFailedIpAttempts' to make sure that when users share the same IP address, the failed attempt of one user does not affect all other users.

security.loginThrottle.maxFailedUsernameAttempts=3
Log-in throttling: Setting the number of failed attempts for a single IP address

Info:

The number of failed log-in attempts for a single IP address before log-in throttling for that IP address takes place can be set through the option named 'security.loginThrottle.maxFailedIpAttempts'.

security.loginThrottle.maxFailedIpAttempts=20
Log-in throttling: Defining the minimum time a user is blocked

Info:

When the log-in attempts of a user have failed (defined through the options named 'maxFailedUsernameAttempts' or 'maxFailedIpAttempts'), the minimum time that a user has to wait (in seconds) is set through the option named 'security.loginThrottle.minWaitTimeSeconds'.

The blocked time increases when more failed attempts occur, up to the maximum number of seconds set through the option named 'security.loginThrottle.maxWaitTimeSeconds'.

security.loginThrottle.minWaitTimeSeconds=1
Log-in throttling: Defining the maximum time a user is blocked

Info:

When the log-in attempts of a user have failed (defined through the options named 'maxFailedUsernameAttempts' or 'maxFailedIpAttempts'), the maximum time that a user has to wait (in seconds) is set through the option named 'security.loginThrottle.maxWaitTimeSeconds'.

security.loginThrottle.maxWaitTimeSeconds=600
Enabling previews of HTML files

Info:

Previews of Web pages (files in .html format) that are stored in Elvis are disabled by default.

Note: Previews of Microsoft Office documents are still shown despite being in HTML format.

Previews for these files can be enabled by setting the option named 'security.enableHtmlPreviews' to 'true'.

security.enableHtmlPreviews=true

This option works together with the option 'security.enableSecureHtmlPreviews' (see Elvis 5.9 changes): if 'security.enableHtmlPreviews' is enabled, the HTML previews are still secured if 'security.enableSecureHtmlPreviews' is also enabled. However, not all Web browsers support this.

Prevent clickjacking when viewing Web pages (renamed)

Info:

The option that blocks the loading of Web pages in iframes and only allows a page to be loaded when it is from the same domain has been renamed.

  • New name: security.antiClickjackHeaders
  • Old name: security.xFrameOptionHeaders

The security.antiClickjackHeaders option now also adds the 'frame-ancestors' directive to the Content-Security-Policy header, next to the X-Frame-Options header, to all requests.

The option is backwards compatible, meaning that existing setups will keep working but new configurations should use the new option.

Support for TLSv1 dropped

Because of security reasons, TLS v1 is not supported out of the box anymore in Elvis Server 5.10.

The current Elvis InDesign plug-ins are not compatible with this change. To use these plug-ins over SSL, re-enable TLS v1 in Elvis 5 as follows:

Step 1. In your Elvis confg folder, add a folder named ‘jetty_config'.

<elvis server path>/config/jetty_config

Step 2. Download the file enable_tlsv1.xml and place it in the jetty_config folder.

Step 3. Restart Elvis Server.

Elvis Server now supports TLSv1 again.

Controlling which domains can make calls to Elvis Server

Info:

The option that controls which domains can make calls to Elvis Server has been renamed:

  • New name: security.accessControlAllowOrigin
  • Old name: accessControlAllowOrigin
security.accessControlAllowOrigin=

For more information about this option, see Elvis 5 API - cross origin.

Preventing HTML previews from injecting malicious code

Info:

A new option named 'security.enableSecureHtmlPreviews' has been introduced which sets all HTML previews for assets of type .html and .docx to use the Content Security Policy header. This way, the asset is sandboxed meaning that no malicious code can be injected on the page through the asset.

security.enableSecureHtmlPreviews=true

For more information see the Content Security Policy.

Prevent clickjacking when viewing Web pages

Info:

The loading of Web pages in iframes is now blocked or only allowed when the page is from the same domain. All requests will get an X-Frame-Options header added to them to combat clickjacking.

This is controlled through the following option:

security.xFrameOptionHeaders=true
"Debug Info External" option removed from the Debug bundled plug-in

The option for viewing debugging info in an external Web browser has been removed from the Debug bundled plug-in.

Logging-in is temporarily blocked after 3 failed attempts

When a user tries to log in 3 times and fails on each attempt, further log-in attempts are temporarily blocked.

Controlling which domains can make calls to Elvis Server

Info:

To improve the security of on-premise installations, the default value of the 'AccessControlAllowOrigin' option has changed from allowing all other domains to allowing no other domains.

Current default value:

accessControlAllowOrigin=

Default value for previous versions:

accessControlAllowOrigin=*

As a result, existing integrations may no longer work. To make them work again add any origin address to the accessControlAllowOrigin property.

For more information, see Elvis 5 API - cross origin.

Elvis 5 Server changes by version

The following table shows in which version of Elvis 5 each security update was added. Use it as a reference. The items in the table are described above.

Update Elvis 5 version
Configuring iframe access from domains other than Elvis Server 5.24
Log-in throttling: Excluding IP-addresses 5.19
Log-in throttling based on IP addresses 5.13
Log-in throttling: Defining where to retrieve the address of a request from 5.13
Log-in throttling: Setting the number of log-in attempts before log-in throttling should take place 5.13
Log-in throttling: Setting the number of failed attempts for a single IP address 5.13
Log-in throttling: Defining the minimum time a user is blocked 5.13
Log-in throttling: Defining the maximum time a user is blocked 5.13
Enabling previews of HTML files 5.13
Prevent clickjacking when viewing Web pages (renamed) 5.12
Support for TLSv1 dropped 5.10
Controlling which domains can make calls to Elvis Server 5.9
Preventing HTML previews from injecting malicious code 5.9
Prevent clickjacking when viewing Web pages 5.9
"Debug Info External" option removed from the Debug bundled plug-in 5.9
Logging-in is temporarily blocked after 3 failed attempts 5.9
Controlling which domains can make calls to Elvis Server 5.7

Document history

  • 21 August 2018: Replaced the content of section 'Elvis 5 Server changes by version' by a table.
  • 21 August 2018: Moved the content of section 'Elvis 5 Server changes by version' to a new section named 'Additional security settings'.
  • 15 August 2018: Updated section 'Elvis 5 Server changes by version' with 'Elvis Server 5.19 changes'.

Related articles

Comment

Do you have corrections or additional information about this article? Leave a comment!
Do you have a question about what is described in this article? Please contact Support.


0 comments

Please sign in to leave a comment.