The application server that hosts JasperReports Server handles the session cookie. To prevent malicious scripts on a client from accessing the user connection, you should set the application server to use httpOnly cookies. This tells the browser that only the server may access the cookie, not scripts running on the client. This setting safeguards against cross-site scripting (XSS) attacks. Consult the documentation for your application server on how to set httpOnly cookies.
-
This documentation is an older version of JasperReports Server Security Guide. View the latest documentation.
- Introduction
- Overview of Security
- Key and Keystore Management
-
Application Security
- Encrypting Passwords in Configuration Files
- Configuring CSRF Protection
- Configuring XSS Protection
- Protecting Against SQL Injection
- Further Security Configuration
- Protecting Against XML External Entity Attacks
- Restricting File Uploads
- Restricting Groovy Access
- Hiding Stack Trace Messages
- Defining a Cross-Domain Policy for Flash
- Enabling SSL in Tomcat
- Disabling Unused HTTP Verbs
- Configuring HTTP Header Options
- Setting the Secure Flag on Cookies
- Setting httpOnly for Cookies
- Protection Domain Infrastructure in Tomcat
- Encrypting Passwords in URLs
- User Security
- Securing Data in a Domain
- About This Guide
User Feedback
Recommended Comments
There are no comments to display.