Securing the Web Application - Micetro - 25.2.0

Micetro Installation Guide
ft:locale
en-US
Product name
Micetro
Version
25.2.0

These are some security issues that are commonly addressed, but may differ based on your organization and changing security requirements. The following security considerations are just a few that you may want to implement, but this is not a comprehensive list. We recommend following the best practices for your web server to ensure that your environment is secure.

Recommended measures to ensure the security of your environment include setting up a reverse proxy and implementing the Content-Security-Policy HTTP header, among others.

Additionally, the web service exposes several documentation endpoints that are accessible without authentication. You may want to restrict access to these endpoints in production environments to improve security.

Setting up a reverse proxy

The Micetro Web Application automatically sets up a proxy to communicate with the backend. The Linux installer configures the proxy with the necessary headers. For the content returned back to the client, the installer performs minimal configuration. We highly recommend thoroughly reviewing it and adding all the needed headers to fully secure the application according to your IT policies and/or best practices. For information about reverse proxies, refer to the Apache documentation.

Implementing the Content-Security-Policy HTTP header

We recommend implementing the Content-Security-Policy (CPS) HTTP header, which provides additional security from client-side attacks, e.g., cross-site scripting. The specific implementation of the CSP header depends on your application configuration, but OWASP provides general instructions.

At a minimum, you should use the CPS header with the directive default-src, as well as:

  • script-src to restrict script execution
  • frame-ancestors to prevent framing attacks

To implement the CPS HTTP header:

  1. Using VirtualHost on Apache, add the following configuration:
    Note: This assumes that mod_headers is already enabled.
    <VirtualHost *:80>
    ServerName yourdomain.com
    DocumentRoot /var/www/html

    Header always set Content-Security-Policy "default-src 'self'; script-src 'self'; frame-ancestors 'self';"

    # Other settings...
</VirtualHost>