| HTTP Headers on NOWSMS Web Interface |  Search
|
|
NowSMS Support Forums ⬆ NowSMS Support - SMS Issues ⬆ |
◄ ► |
| Author | Message | |||
| Acette Support Frequent Contributor Username: Mathewm Post Number: 169 Registered: 04-2011 |
Hi, We have a requirement to ser X-Frame-Options response header or Content-Security-Policy 'frame-ancestors' response header in all content responses from the NowSMS Web Interface. This is related to mitigating Clickjacking vulnerability. Is there a configuration to achieve this? Thanks | |||
| Bryce Norwood - NowSMS Support Board Administrator Username: Bryce Post Number: 8526 Registered: 10-2002 |
Hi, In the Windows version, there is no way to insert these headers. In the Linux version, the following headers are sent by default: X-Permitted-Cross-Domain-Policies: none Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; Permissions-Policy: sync-xhr=(self) X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Opener-Policy: same-origin-allow-popups Cross-Origin-Resource-Policy: same-origin If you need to override any of these defaults, there is an alpha version that allows this, with an INI setting. It is somewhat complicated to explain, but if you explain exactwly what header changes or additions you require, I can provide examples. | |||
| Acette Support Frequent Contributor Username: Mathewm Post Number: 171 Registered: 04-2011 |
HI, This is a security audit finding at one of our NowSMS installations on Windows server. As a policy, we are required to close the findings. The remedial action to close the finding suggests that the portal returns the X-Frame-Options or Content-Security-Policy (with the 'frame-ancestors' directive) HTTP header with the page's response. Appreciate if you can suggest how this can be achieved on the Windows installation. | |||
| Bryce Norwood - NowSMS Support Board Administrator Username: Bryce Post Number: 8527 Registered: 10-2002 |
We are working on an update to the Windows version of NowSMS that adds the capability to customize the HTTP headers. Estimate: 1-2 weeks | |||
| Bryce Norwood - NowSMS Support Board Administrator Username: Bryce Post Number: 8531 Registered: 10-2002 |
An update adds support for this. A preliminary version is available at: https://nowsms.com/download/nowsms20240612.zip * Add INI file setting to add additional HTTP headers to the web interface to provide additional security. To add headers, use the HTTPHeadersOverride= setting under the [SMSGW] header in SMSGW.INI. Include an escape sequence of \r\n after each header to force a line break. For Example: HTTPHeadersOverride=X-Permitted-Cross-Domain-Policies: none\r\nContent-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;\r\nPermissions-Policy: sync-xhr=(self)\r\nX-Frame-Options: SAMEORIGIN\r\nX-Content-Type-Options: nosniff\r\nCross-Origin-Embedder-Policy: require-corp\r\nCross-Origin-Opener-Policy: same-origin-allow-popups\r\nCross-Origin-Resource-Policy: same-origin\r\n | |||
| Acette Support Frequent Contributor Username: Mathewm Post Number: 172 Registered: 04-2011 |
Thanks for the update. Are we expecting final version later? | |||
| Acette Support Frequent Contributor Username: Mathewm Post Number: 173 Registered: 04-2011 |
This seems to be working. Thanks. Is there any tentative date for the final release? | |||
