martisaw
commented
3 years ago Note: I manually tested the following properties:
camunda.webapps.csrf.target-origin
I set the target-origin to example.com -> The Webapps show an error when I try to log in because it is the wrong domain. Setting it to http://localhost:8080 allowe me to log in (Worked as expected).
camunda.webapps.csrf.cookie-name
The default cookie name is XSRF-TOKEN. I changed the name and checked with the developer tools in my browser. The name did change, so the property also worked as expected.
camunda.webapps.header-security.xss-protection-disabled
I set this to true and disabled the header X-XSS-Protection. Worked as expected.
camunda.webapps.header-security.xss-protection-value
I set this to 1, mode=sanitize and was able to see this value in the header. Worked as expected.
I also set xss-protection-disabled and xss-protection-value together. Worked as expected. No header was shown, the value was ignored.
camunda.webapps.header-security.hsts-diabled
I set this to false so that the header will show up on a request. "Strict-Transport-Security"-Header was shown in the request with the default max-age value. Worked as expected.
There are still three TODOs in the class JettyServerCustomizer.java that need to get implemented: https://github.com/NovatecConsulting/micronaut-camunda-bpm/blob/6190b2708a4cf81b600c29a38258b13137ca8f45/micronaut-camunda-bpm-feature/src/main/java/info/novatec/micronaut/camunda/bpm/feature/JettyServerCustomizer.java#L153-L155
Maybe you can get some information/inspiration on how to do that from: https://github.com/camunda/camunda-bpm-platform/tree/master/spring-boot-starter/starter-webapp-core/src/main/java/org/camunda/bpm/spring/boot/starter/webapp/filter