Security Settings for PaperCut's Web Server

KB Home   |   Security Settings for PaperCut's Web Server

Main.WebServerSecuritySettings History

Hide minor edits - Show changes to output

November 25, 2018, at 11:55 PM by amir - Reference to updated location of weak cipher removal
Added lines 14-17:

'''Q: How do I harden TLS/SSL ciphers in my PaperCut MF deployment?'''

A:  Check out the relevant Knowledge Base article on how to configure TLS ciphers [[SSLCipherConfiguration|+]].
August 01, 2018, at 06:36 PM by Aaron Pouliot - Added steps to set the Cookie Policy
Changed lines 7-8 from:
A: Yes, see the user manual section [[/products/ng/manual/apdx-ssl-key-generation.html|SSL/HTTPS Key Generation]], which includes instructions for both generating a new SSL certificate and installing an existing SSL certificate.
to:
A: Yes, see our article on [[https://www.papercut.com/kb/Main/SSLWithKeystoreExplorer|Importing SSL Certificates with KeyStore Explorer]], which includes instructions for both generating a new SSL certificate and installing an existing SSL certificate.
Changed lines 17-32 from:
A: As of version 17.1 of PaperCut NG and PaperCut MF, a session cookie generated for access originating over a secure connection is automatically provided alongside both the "Secure" and [="HttpOnly"=] flags within the HTTP response header. The "Secure" flag ensures that the details of a session cookie will not be disclosed if a browser subsequently requests the information over a plain HTTP connection, whilst the [="HttpOnly"=] flag dictates that the cookie can only be accessed by the server itself, minimising the chance of it being intercepted and interpreted by a third party. For sites with particularly rigorous concerns around cookies, additional configuration can allow these flags to be included uniformly for all other cookie types issued by the web server; contact the PaperCut Support team for more information along these lines.
to:
A: As of version 17.1 of PaperCut NG and PaperCut MF, a session cookie generated for access originating over a secure connection is automatically provided alongside both the "Secure" and [="HttpOnly"=] flags within the HTTP response header. The "Secure" flag ensures that the details of a session cookie will not be disclosed if a browser subsequently requests the information over a plain HTTP connection, whilst the [="HttpOnly"=] flag dictates that the cookie can only be accessed by the server itself, minimizing the chance of it being intercepted and interpreted by a third party. For sites with particularly rigorous concerns around cookies, additional configuration can allow these flags to be included uniformly for all other cookie types issued by the web server.

To make these changes to your PaperCut server, follow the steps below:
# In a text editor, open the following file: [app-path]/server/server.properties
#Paste following section to the server.properties file to set the cookie policy.
** [@
### Cookie Policy ###
# By default session cookie is set to be httpOnly and secure (if originating from secure connection).
# Policy below can force all cookies (not just session) to be always httpOnly and secure even if not coming from secure
# connection.
# NOTE: Setting force-secure=Y will disable cookie session tracking for http origins.
server.cookies.force-http-only=Y
server.cookies.force-secure=Y
@]
# Save the file.
# Restart the PaperCut Application Server service
.
July 31, 2018, at 05:18 PM by Aaron Pouliot - Fixed link to Forcing use of HTTPS/SSL KB
Changed line 13 from:
Check out the relevant Knowledge Base article [[/kb/Main/ForcingSSL|Forcing use of HTTPS/SSL only]] for instructions towards configuring these features in your environment.
to:
Check out the relevant Knowledge Base article on [[https://www.papercut.com/kb/Main/ForcingSSL|Forcing use of HTTPS/SSL]] for instructions towards configuring these features in your environment.
May 16, 2017, at 03:45 AM by peterf - Updated to reflect 17.1 release
Added lines 9-18:
'''Q: Can PaperCut NG and PaperCut MF ensure that connections to the web server are made over HTTPS using SSL?'''

A: Most definitely; the application can be configured to automatically redirect access attempts made over plain HTTP over to secure HTTPS. Furthermore, PaperCut NG and PaperCut MF 17.1 and beyond support HSTS, or HTTP Strict Transport Security, reinforcing our ability to keep connections routed over HTTPS. In conjunction with supported web browsers, HSTS allows for automatic HTTPS redirections to be enforced at the client level, with the browser itself repointing HTTP requests over to HTTPS at the behest of our web server.

Check out the relevant Knowledge Base article [[/kb/Main/ForcingSSL|Forcing use of HTTPS/SSL only]] for instructions towards configuring these features in your environment.

'''Q: I'm running a highly secure deployment, and notice that the application uses session cookies. How can I be sure these are being handled safely?'''

A: As of version 17.1 of PaperCut NG and PaperCut MF, a session cookie generated for access originating over a secure connection is automatically provided alongside both the "Secure" and [="HttpOnly"=] flags within the HTTP response header. The "Secure" flag ensures that the details of a session cookie will not be disclosed if a browser subsequently requests the information over a plain HTTP connection, whilst the [="HttpOnly"=] flag dictates that the cookie can only be accessed by the server itself, minimising the chance of it being intercepted and interpreted by a third party. For sites with particularly rigorous concerns around cookies, additional configuration can allow these flags to be included uniformly for all other cookie types issued by the web server; contact the PaperCut Support team for more information along these lines.

Changed lines 28-29 from:
@@server.force-host-header=printing.uni.edu@@
--> where @@printing.uni.edu@@ is the fully qualified host name that all users will access PaperCut on.
to:
->@@server.force-host-header=printing.uni.edu@@
-> ... where @@printing.uni.edu@@ is the fully qualified host name that all users will access PaperCut on.
Deleted lines 31-40:

'''Q: Can I log in to PaperCut with browser cookies disabled (using session IDs?'''

A. As of 17.1, by default you cannot log in to the Admin web interface or the User web interface with browser cookies disabled. Session IDs are not allowed in PaperCut URLs. You can however, change this behavior:

# In a text editor, open [@[app-path]/server/server.properties@].
# Locate the line [@require-cookies-for-login=Y@].
# Change [@Y@] to [@N@].
# Save the file.
# Restart the PaperCut Application Server service.
May 10, 2017, at 06:22 AM by 139.130.165.134 -
Added lines 22-31:

'''Q: Can I log in to PaperCut with browser cookies disabled (using session IDs?'''

A. As of 17.1, by default you cannot log in to the Admin web interface or the User web interface with browser cookies disabled. Session IDs are not allowed in PaperCut URLs. You can however, change this behavior:

# In a text editor, open [@[app-path]/server/server.properties@].
# Locate the line [@require-cookies-for-login=Y@].
# Change [@Y@] to [@N@].
# Save the file.
# Restart the PaperCut Application Server service.
Changed lines 3-4 from:
PaperCut uses an embedded web server called [[http://jetty.codehaus.org/jetty/|Jetty]].  Although the out-of-the box security related settings should suit most sites, in some situations there site-specific options that may improve security.  For general security related questions be sure to see [[CommonSecurityQuestions|+]] and [Security|+]].
to:
PaperCut uses an embedded web server called [[http://jetty.codehaus.org/jetty/|Jetty]].  Although the out-of-the box security related settings should suit most sites, in some situations there site-specific options that may improve security.  For general security related questions be sure to see [[CommonSecurityQuestions|+]] and [[Security|+]].
Changed lines 9-10 from:
'''Q: I use a NAT, and I can forge/create an HTTP request that exposes PaperCut's "internal" IP address'''
to:
'''Q: I use a NAT, and I can forge/create an HTTP request that exposes PaperCut's "internal" IP address.  How can I prevent this?'''
Added lines 1-29:
(:title Security Settings for PaperCut's Web Server:)

PaperCut uses an embedded web server called [[http://jetty.codehaus.org/jetty/|Jetty]].  Although the out-of-the box security related settings should suit most sites, in some situations there site-specific options that may improve security.  For general security related questions be sure to see [[CommonSecurityQuestions|+]] and [Security|+]].

'''Q: Can I use/install my own SSL certificate?'''

A: Yes, see the user manual section [[/products/ng/manual/apdx-ssl-key-generation.html|SSL/HTTPS Key Generation]], which includes instructions for both generating a new SSL certificate and installing an existing SSL certificate.

'''Q: I use a NAT, and I can forge/create an HTTP request that exposes PaperCut's "internal" IP address'''

(This question also applies to security audit software that may report something like "''Web Server HTTP Header Internal IP Disclosure''")

A: PaperCut's web server requires the ability to redirect users to new pages.  When performing a redirect, the target location is based on the ''Host'' header that the web browser requested.  If the host header is omitted (e.g. by manually crafting an HTTP request), the target location is based on the server's own hostname or IP address.  In a NAT environment this may not be ideal if the server's IP address is considered private.

As of PaperCut version 11.3, the web server may be "forced" to redirect to a defined host name.  If this option is used, it is important that ''all'' users access PaperCut via this defined host name, and that this host name is accessible to all users.  To enable this option:
->1. Open @@[app-path]/server/server.properties@@ in a text editor.
->2. Add the line:
@@server.force-host-header=printing.uni.edu@@
--> where @@printing.uni.edu@@ is the fully qualified host name that all users will access PaperCut on.
->3. Restart the service @@PaperCut Application Server@@
->4. Test access to the web interface (using both HTTP and HTTPS if applicable).

!!See also
* [[CommonSecurityQuestions|+]]
* [[Security|+]]
----
''Categories:'' [[Category.Security|+]]
----
[-Keywords: web security, security audit, IP address leak-]

Comments

Share your findings and experience with other PaperCut users. Feel free to add comments and suggestions about this Knowledge Base article. Please don't use this for support requests.

Article last modified on November 25, 2018, at 11:55 PM
Printable View   |   Article History   |   Edit Article