Nuxeo Server

Security Recommendations

Updated: March 18, 2024

This page presents some security recommendations, applicable through configuration files.

Tomcat Web Server

The Tomcat server included in the Nuxeo distribution is already configured following the main security recommendations.

Additionally, you can consider removing or restricting the access to the default Tomcat tools (admin and manager webapps).

Avoid Sending the Tomcat Version

nuxeo.conf

nuxeo.server.signature=Nuxeo

Apache Web Server

When using Apache HTTP Server as a proxy in front of your Nuxeo instance, you shall harden it following those rules.

Clean the Server Header

apache.conf

# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of:  Full | OS | Minimal | Minor | Major | Prod
# where Full conveys the most information, and Prod the least.
ServerTokens Prod

# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of:  On | Off | EMail
ServerSignature Off

Disallow TRACE Requests

apache.conf

# Allow TRACE method
#
# Set to "extended" to also reflect the request body (only for testing and
# diagnostic purposes).
#
# Set to one of:  On | Off | extended
TraceEnable Off 

ETag Headers Generation

Do not use filesystem sensitive information to generate the ETag headers.

nuxeo-vhost.conf

FileETag None

Prevent "Clickjacking"

nuxeo-vhost.conf

Header always append X-Frame-Options SAMEORIGIN

Prevent Cross Site Scripting - XSS

nuxeo-vhost.conf

Header set X-XSS-Protection "1; mode=block"

HTTP Protocol Version

Allow HTTP Protocol version 1.1 only.

nuxeo-vhost.conf

RewriteEngine On
RewriteCond %{THE_REQUEST} !HTTP/1.1$
RewriteRule .* - [F]

Prevent "Slowloris" Attacks

nuxeo-vhost.conf

Timeout 60

SSL Ciphers

Accept SSL high quality ciphers only.

nuxeo-vhost.conf

SSLCipherSuite HIGH:!MEDIUM:!aNULL:!MD5:!RC4

SSL Protocols

Accept strong SSL protocols only.

nuxeo-vhost.conf

SSLProtocol -all +TLSv1.2

Cookies

Secure the cookies (when using SSL).

nuxeo-vhost.conf

Header edit Set-Cookie ^(.*)$ $1;Secure

Use mod_security

https://www.modsecurity.org/