Difference between revisions of "QPR UI Security Hardening"

From Mea Wiki
Jump to navigation Jump to search
 
(4 intermediate revisions by the same user not shown)
Line 5: Line 5:
  
 
== Change Payara Administrator Password ==
 
== Change Payara Administrator Password ==
Change [[Payara Configuration in QPR UI#Changing Payara Administrator Password|Payara administrator password]].
+
Instructions are [[Payara_Configuration_in_QPR_UI#Changing_Payara_Administrator_Password|here]].
 
 
Here is a Powershell script to change Payara Administrator password:
 
<pre>
 
#Change Payara Administrator Password (CMD popup will ask for password. Default Payara admin credentials: admin/admin)
 
Start-Process -FilePath "C:\Program Files\QPR Software Plc\QPR UI\Glassfish\bin\asadmin" -ArgumentList "change-admin-password" -Wait
 
Start-Process -FilePath "C:\Program Files\QPR Software Plc\QPR UI\Glassfish\bin\asadmin" -ArgumentList 'set configs.config.server-config.http-service.virtual-server.server.property.errorReportValve=""' -Wait
 
</pre>
 
  
 
== Allow Incoming Requests only from Localhost ==
 
== Allow Incoming Requests only from Localhost ==
This step applies only when IIS is used as a [[Setting up IIS as Reverse Proxy for QPR UI|reverse proxy for QPR UI]]. In Payara allow incoming requests only from localhost.
+
In Payara, allow incoming requests only from localhost.
  
 
== Remove X-Powered-By HTTP Header ==
 
== Remove X-Powered-By HTTP Header ==
Removing the X-Powered-By HTTP response header improved security, because the underlying technology is not revealed publicly. You can disable this by turning off the '''XPowered By:''' header with your http-listener and by adding a JVM-Option '''-Dproduct.name=""'''.
+
Removing the '''X-Powered-By''' HTTP header improves security, because the underlying technology is not revealed. You can disable this by turning off the '''XPowered By:''' header with your http-listener and by adding a JVM-Option '''-Dproduct.name=""'''.
  
More information about Payara hardening: http://blog.eisele.net/2011/05/securing-your-glassfish-hardening-guide.html
+
== More Information ==
 +
More information about Payara security hardening: http://blog.eisele.net/2011/05/securing-your-glassfish-hardening-guide.html
  
 
[[Category: QPR UI]]
 
[[Category: QPR UI]]

Latest revision as of 12:32, 23 December 2019

Follow these instructions to harden QPR UI security. Also steps for QPR ProcessAnalyzer Security Hardening are valid for QPR UI.

Latest Java Installed

Check that the latest version of Java 8 is installed. Make sure also that the automatic updating of Java is enabled.

Change Payara Administrator Password

Instructions are here.

Allow Incoming Requests only from Localhost

In Payara, allow incoming requests only from localhost.

Remove X-Powered-By HTTP Header

Removing the X-Powered-By HTTP header improves security, because the underlying technology is not revealed. You can disable this by turning off the XPowered By: header with your http-listener and by adding a JVM-Option -Dproduct.name="".

More Information

More information about Payara security hardening: http://blog.eisele.net/2011/05/securing-your-glassfish-hardening-guide.html