This article describes the security updates for Elvis 5 as published in other locations of the Help Center such as the Elvis 5 Release Notes. Use it as a quick reference to find out if any of the issues affect your Elvis environment.
Important: The default configuration settings of Elvis 5 Server are aimed to keep the system as secure as possible. Change these settings with care and at your own risk.
Security configuration overview
The following is an overview of the security configuration of Elvis 5 Server.
AJAX calls to Elvis Server are blocked by Web browsers if the Web page that is making the call is not on one of the configured domains. By default, only the server domain is allowed.
Example: If Elvis server is running on http://elvis.yourdomain.com and you want to perform a cross-domain REST search from a Web page hosted on http://www.yourdomain.com, the Web browser will not perform the request.
Note: The same origin policy prevents a document or script loaded from one origin from getting or setting properties of a document from a different origin. (See mozilla.org: Same-origin policy.)
For more information, see Elvis 5 API - cross origin.
Anti-clickjacking headers limit how the Elvis Web client is allowed to be loaded in iframes or other frames.
By default, the Elvis Web client is only allowed to be loaded in a frame originating from the same domain as the server.
It is however also possible to load the Elvis Web client from another domain than the server. For more information, see the changes for Elvis 5.24 below.
Previews of Web pages (files in .html format) that are stored in Elvis are disabled by default. They can be enabled with limited functionality or with full functionality.
The number of times that a user can attempt to log in is limited.
When incorrect credentials are entered a few times, logging in through the user’s IP address will be blocked for a short period of time.
Various options for this feature can be configured, see the 'log-in throttling' options below.
Security options that may affect your Elvis setup
The following lists some of the security issues that may affect your Elvis 5 environment.
Limited functionality for HTML pages loaded outside the Web client
Web client prevented from loading in a frame or iframe
If your Elvis installation is used in combination with a solution that loads the Elvis Web client in a frame or iframe, the anti-clickjacking headers will prevent the Web client from being loaded, thereby breaking the integration. (See HTML previews above.)
No preview for Word files and Web pages when Web client is served from a different domain than Elvis Server
If your Elvis Web client is served from a different domain than Elvis Server, the anti-clickjacking headers will prevent previews for Word files (in .doc format) and Web pages (in .html format). (See Anti-clickjacking headers above.)
Additional security settings
To make it possible to load the Elvis Web client from another domain than the server, configure the following options in the cluster-config.properties.txt file:
- X-Frame-Options. The X-Frame-Options HTTP response header can be used to indicate whether or not a Web browser should be allowed to render a page in a <frame>, <iframe> or <object>. Sites can use this to avoid clickjacking attacks by ensuring that their content is not embedded into other sites. It is mainly used for older Web browsers.
- Default value: SAMEORIGIN
- Only one domain can be specified
- For this to work, set security.antiClickjackHeaders=true.
Specify a domain as follows: ALLOW FROM http://example.com
For more information, see Mozilla Developers Network - X-Frame-Options.
- ContentSecurityPolicy. Allows the specified domain to have the server to be shown in an iframe. It is mainly used by modern Web browsers.
- Default value: self
- Multiple domains can be specified
- For this to work, set security.antiClickjackHeaders=true.
Specify a domain as follows: http://example.com http://domain.com
Each domain should be separated with a space.
For more information, see Mozilla Developers Network - Content Security Policy (CSP).
When log-in throttling is enabled through the option named 'security.loginThrottle.maxFailedIpAttempts' (see Elvis Server 5.13 changes), any trusted IP addresses that should never be blocked can be white-listed by using the option named 'security.loginThrottle.ipWhiteList'.
Use this for example to exclude the Enterprise Server IP address where many different user requests come from the same source.
Note: Separate users on this IP may still be blocked when the option 'security.loginThrottle.maxFailedUsernameAttempts' is exceeded.
Log-in throttling (temporarily blocking a user log-in after a defined number of failed attempts) now also works purely on IP addresses and not just on combinations of user name and IP address.
By default, Elvis Server uses the remote address of a request.
When Elvis is running behind a load balancer, the IP address of the remote host of a request may be retrieved from the request headers (Client-IP and X-Forwarded-For) by setting the option named 'security.runningBehindLoadBalancer' to 'true'.
Caution: Beware that enabling this option when Elvis is not running behind a load balancer allows an attacker to circumvent the IP-based log-in throttling by "faking" his IP using the header. (See the op tion 'security.loginThrottle.maxFailedIpAttempts' below.)
The number of log-in attempts for a combination of IP address and user name that are allowed before log-in throttling takes place can be set through the option named 'security.loginThrottle.maxFailedUsernameAttempts'.
This is separate from IP-based blocks and is generally set lower than the option 'maxFailedIpAttempts' to make sure that when users share the same IP address, the failed attempt of one user does not affect all other users.
The number of failed log-in attempts for a single IP address before log-in throttling for that IP address takes place can be set through the option named 'security.loginThrottle.maxFailedIpAttempts'.
When the log-in attempts of a user have failed (defined through the options named 'maxFailedUsernameAttempts' or 'maxFailedIpAttempts'), the minimum time that a user has to wait (in seconds) is set through the option named 'security.loginThrottle.minWaitTimeSeconds'.
The blocked time increases when more failed attempts occur, up to the maximum number of seconds set through the option named 'security.loginThrottle.maxWaitTimeSeconds'.
When the log-in attempts of a user have failed (defined through the options named 'maxFailedUsernameAttempts' or 'maxFailedIpAttempts'), the maximum time that a user has to wait (in seconds) is set through the option named 'security.loginThrottle.maxWaitTimeSeconds'.
Previews of Web pages (files in .html format) that are stored in Elvis are disabled by default.
Note: Previews of Microsoft Office documents are still shown despite being in HTML format.
Previews for these files can be enabled by setting the option named 'security.enableHtmlPreviews' to 'true'.
This option works together with the option 'security.enableSecureHtmlPreviews' (see Elvis 5.9 changes): if 'security.enableHtmlPreviews' is enabled, the HTML previews are still secured if 'security.enableSecureHtmlPreviews' is also enabled. However, not all Web browsers support this.
The option that blocks the loading of Web pages in iframes and only allows a page to be loaded when it is from the same domain has been renamed.
- New name: security.antiClickjackHeaders
- Old name: security.xFrameOptionHeaders
The security.antiClickjackHeaders option now also adds the 'frame-ancestors' directive to the Content-Security-Policy header, next to the X-Frame-Options header, to all requests.
The option is backwards compatible, meaning that existing setups will keep working but new configurations should use the new option.
Because of security reasons, TLS v1 is not supported out of the box anymore in Elvis Server 5.10.
The current Elvis InDesign plug-ins are not compatible with this change. To use these plug-ins over SSL, re-enable TLS v1 in Elvis 5 as follows:
Step 1. In your Elvis confg folder, add a folder named ‘jetty_config'.
<elvis server path>/config/jetty_config
Step 2. Download the file enable_tlsv1.xml and place it in the jetty_config folder.
Step 3. Restart Elvis Server.
Elvis Server now supports TLSv1 again.
The option that controls which domains can make calls to Elvis Server has been renamed:
- New name: security.accessControlAllowOrigin
- Old name: accessControlAllowOrigin
For more information about this option, see Elvis 5 API - cross origin.
A new option named 'security.enableSecureHtmlPreviews' has been introduced which sets all HTML previews for assets of type .html and .docx to use the Content Security Policy header. This way, the asset is sandboxed meaning that no malicious code can be injected on the page through the asset.
For more information see the Content Security Policy.
The loading of Web pages in iframes is now blocked or only allowed when the page is from the same domain. All requests will get an X-Frame-Options header added to them to combat clickjacking.
This is controlled through the following option:
The option for viewing debugging info in an external Web browser has been removed from the Debug bundled plug-in.
When a user tries to log in 3 times and fails on each attempt, further log-in attempts are temporarily blocked.
To improve the security of on-premise installations, the default value of the 'AccessControlAllowOrigin' option has changed from allowing all other domains to allowing no other domains.
Current default value:
Default value for previous versions:
As a result, existing integrations may no longer work. To make them work again add any origin address to the accessControlAllowOrigin property.
For more information, see Elvis 5 API - cross origin.
Elvis 5 Server changes by version
The following table shows in which version of Elvis 5 each security update was added. Use it as a reference. The items in the table are described above.
|Update||Elvis 5 version|
|Configuring iframe access from domains other than Elvis Server||5.24|
|Log-in throttling: Excluding IP-addresses||5.19|
|Log-in throttling based on IP addresses||5.13|
|Log-in throttling: Defining where to retrieve the address of a request from||5.13|
|Log-in throttling: Setting the number of log-in attempts before log-in throttling should take place||5.13|
|Log-in throttling: Setting the number of failed attempts for a single IP address||5.13|
|Log-in throttling: Defining the minimum time a user is blocked||5.13|
|Log-in throttling: Defining the maximum time a user is blocked||5.13|
|Enabling previews of HTML files||5.13|
|Prevent clickjacking when viewing Web pages (renamed)||5.12|
|Support for TLSv1 dropped||5.10|
|Controlling which domains can make calls to Elvis Server||5.9|
|Preventing HTML previews from injecting malicious code||5.9|
|Prevent clickjacking when viewing Web pages||5.9|
|"Debug Info External" option removed from the Debug bundled plug-in||5.9|
|Logging-in is temporarily blocked after 3 failed attempts||5.9|
|Controlling which domains can make calls to Elvis Server||5.7|
- 21 August 2018: Replaced the content of section 'Elvis 5 Server changes by version' by a table.
- 21 August 2018: Moved the content of section 'Elvis 5 Server changes by version' to a new section named 'Additional security settings'.
- 15 August 2018: Updated section 'Elvis 5 Server changes by version' with 'Elvis Server 5.19 changes'.