Security Settings for PaperCut's Web Server

PaperCut uses an embedded web server called Jetty. Although the out-of-the box security related settings should suit most sites, in some situations there site-specific options that may improve security. For general security related questions be sure to see Common Security Questions and Tell me about PaperCut’s security.

Q: Can I use/install my own SSL certificate?

Yes, see our article on Importing SSL Certificates with KeyStore Explorer, which includes instructions for both generating a new SSL certificate and installing an existing SSL certificate.

Q: Can PaperCut NG and PaperCut MF ensure that connections to the web server are made over HTTPS using SSL?

Most definitely; the application can be configured to automatically redirect access attempts made over plain HTTP over to secure HTTPS. Furthermore, PaperCut NG and PaperCut MF 17.1 and beyond support HSTS, or HTTP Strict Transport Security, reinforcing our ability to keep connections routed over HTTPS. In conjunction with supported web browsers, HSTS allows for automatic HTTPS redirections to be enforced at the client level, with the browser itself repointing HTTP requests over to HTTPS at the behest of our web server.

Check out the relevant Knowledge Base article on Forcing use of HTTPS/SSL for instructions towards configuring these features in your environment.

Q: How do I harden TLS/SSL ciphers in my PaperCut MF deployment?

Check out the relevant Knowledge Base article on how to configure TLS ciphers SSL Cipher Configuration - removing weak ciphers.

Q: I’m running a highly secure deployment, and notice that the application uses session cookies. How can I be sure these are being handled safely?

As of version 17.1 of PaperCut NG and PaperCut MF, a session cookie generated for access originating over a secure connection is automatically provided alongside both the “Secure” and "HttpOnly" flags within the HTTP response header. The “Secure” flag ensures that the details of a session cookie will not be disclosed if a browser subsequently requests the information over a plain HTTP connection, whilst the "HttpOnly" flag dictates that the cookie can only be accessed by the server itself, minimizing the chance of it being intercepted and interpreted by a third party. For sites with particularly rigorous concerns around cookies, additional configuration can allow these flags to be included uniformly for all other cookie types issued by the web server.

To make these changes to your PaperCut server, follow the steps below:

  1. In a text editor, open the following file: [app-path]/server/
  2. Paste following section to the file to set the cookie policy.
    • ### Cookie Policy ###
      # By default session cookie is set to be httpOnly and secure (if originating from secure connection).
      # Policy below can force all cookies (not just session) to be always httpOnly and secure even if not coming from secure
      # connection.
      # NOTE: Setting force-secure=Y will disable cookie session tracking for http origins.
  3. Save the file.
  4. Restart the PaperCut Application Server service.

Q: I use a NAT, and I can forge/create an HTTP request that exposes PaperCut’s “internal” IP address. How can I prevent this?

(This question also applies to security audit software that may report something like “Web Server HTTP Header Internal IP Disclosure”)

PaperCut’s web server requires the ability to redirect users to new pages. When performing a redirect, the target location is based on the Host header that the web browser requested. If the host header is omitted (e.g. by manually crafting an HTTP request), the target location is based on the server’s own hostname or IP address. In a NAT environment this may not be ideal if the server’s IP address is considered private.

As of PaperCut version 11.3, the web server may be “forced” to redirect to a defined host name. If this option is used, it is important that all users access PaperCut via this defined host name, and that this host name is accessible to all users. To enable this option:

1. Open [app-path]/server/ in a text editor.
2. Add the line:
… where is the fully qualified host name that all users will access PaperCut on.
3. Restart the service PaperCut Application Server
4. Test access to the web interface (using both HTTP and HTTPS if applicable).

See also

Categories: How-to Articles, Security and Privacy

Keywords: web security, security audit, IP address leak