Changes for page Security

Last modified by Vincent Massol on 2021/07/21
<
From version < 22.1 >
edited by Vincent Massol
on 2017/09/06
To version < 23.3 >
edited by Simon Urli
on 2018/10/04
>
Change comment: There is no comment for this version

Summary

Details

Page properties
Author
... ... @@ -1,1 +1,1 @@
1 -XWiki.VincentMassol
1 +XWiki.surli
Content
... ... @@ -48,14 +48,15 @@
48 48  
49 49  === Encrypt cookies using IP address ===
50 50  
51 -Even if the password cannot be extracted from the cookie, the cookies might be stolen (see [[XSS>>Documentation.AdminGuide.Security#HCrossSiteScripting]]) and used as they are.
52 -By setting the //[[xwiki.cfg>>Documentation.AdminGuide.Configuration#HSamplexwiki.cfg]]// parameter ##xwiki.authentication.useip## to true you can block the cookies from being used except by the same IP address which got them.
51 +Even if the password cannot be extracted from the cookie, the cookies might be stolen (see [[XSS>>Documentation.AdminGuide.Security#HCrossSiteScripting]]) and used as they are. To limit this by default, the cookies are blocked from being used except by the same IP address that was used to create them.
53 53  
53 +You can disable this by setting the [[##xwiki.cfg##>>Documentation.AdminGuide.Configuration#HSamplexwiki.cfg]] parameter ##xwiki.authentication.useip## to false.
54 +
54 54  == Override version information ==
55 55  
56 56  By default, the exact XWiki version is shown in the footer of every page. This is not harmful by itself, but can provide useful information to the attacker, who can use known vulnerabilities against this version.
57 57  
58 -You can change the version string shown in the footer using the [[Administration Application>>extensions:Extension.Administration Application]]. Click on the ##Presentaton## icon and change the version string in the //Version// field.
59 +You can change the version string shown in the footer using the [[Administration Application>>extensions:Extension.Administration Application]]. Click on the ##Presentation## icon and change the version string in the //Version// field. Please note that with this solution, the version can still be find through a REST request on the wiki.
59 59  
60 60  If you want to be sure the version is definitely not leaked somewhere else, you can replace the file //WEB-INF/version.properties// by your own version with the following content: {{code}}version=your version string here{{/code}}.
61 61  

About

About

Support

Platform

User Guide

Admin Guide

Developer Guide

Projects

XWiki

Extensions

Other

Contribute

Status

Practices

Under the Hood

Get Involved

Get Connected