[Geomoose-users] Advice on securing a GeoMoose application
Bistrais, Bob
Bob.Bistrais at maine.gov
Wed Jan 20 06:45:03 PST 2016
Thanks Jeff! I'll post any new findings to this forum and also to you directly.
Bob
-----Original Message-----
From: Geomoose-users [mailto:geomoose-users-bounces at lists.osgeo.org] On Behalf Of Jeff McKenna
Sent: Wednesday, January 20, 2016 9:40 AM
To: geomoose-users at lists.osgeo.org
Subject: Re: [Geomoose-users] Advice on securing a GeoMoose application
A few years ago a security company did a review of MS4W (including Apache and PHP) and from that many changes were made to the releases.
Bob keep me posted in what you find with Apache, and I'll try to include your recommendations.
-jeff
On 2016-01-19 4:13 PM, Bistrais, Bob wrote:
> Hi again folks,
>
> I sent my security report to Dan and it looks like many of the problems are Apache related. I've made some progress on that front. A problem I can't seem to resolve now is the issue of Content Security Policy headers. This is actually a Dojo problem but wondering if anyone's had the same problem and can advise.
> I tried setting a content security policy on the Apache http.conf file as follows:
> Header set Content-Security-Policy: "default-src 'self' http://dojotoolkit.org; script-src 'self' http://dojotoolkit.org"
>
> -But when I try to load the application I get an error with Dojo. In FireBug this is the error:
>
> Error: call to Function() blocked by CSP
> ...op=Object.prototype,_97=op.toString,_98=new Function,_99=0,_9a="constructor";fun..
>
> -Any ideas?
>
> Thanks again,
> BB
>
> -----Original Message-----
> From: Dan Little [mailto:theduckylittle at gmail.com]
> Sent: Wednesday, January 13, 2016 1:18 PM
> To: Bistrais, Bob
> Cc: geomoose-users at lists.osgeo.org
> Subject: Re: [Geomoose-users] Advice on securing a GeoMoose
> application
>
> Hey Bob,
>
> Not sure any of these are directly GeoMOOSE.
>
> A lot of those are generic errors that can be addressed but we (I) would need a lot more information about their scanner found.
>
>
>
> On Tue, Jan 12, 2016 at 10:52 AM, Bistrais, Bob <Bob.Bistrais at maine.gov> wrote:
>> Hi all,
>>
>>
>>
>> I’m working through a Deployment Certification on one of my GeoMoose
>> applications. Our web security folks sent me back a report of the
>> security scan. Issues include cross-site scripting, directory
>> listings, link injection, phishing through frames, and others.
>>
>>
>>
>> Within the context of the GeoMoose architecture, can anyone provide
>> advice, or direct me to a good resource, on how to address those kinds of issues?
>>
>>
>>
>> Thanks,
>>
>> Bob
>>
>>
>>
--
Jeff McKenna
MapServer Consulting and Training Services http://www.gatewaygeomatics.com/ _______________________________________________
Geomoose-users mailing list
Geomoose-users at lists.osgeo.org
http://lists.osgeo.org/mailman/listinfo/geomoose-users
More information about the Geomoose-users
mailing list