QPR UI Security Hardening
Follow these instructions to harden QPR UI security. Also steps for QPR ProcessAnalyzer Security Hardening are valid for QPR UI.
Latest Java Installed
Check that the latest version of Java 8 is installed. Make sure also that the automatic updating of Java is enabled.
Change Payara Administrator Password
Instructions are here.
Allow Incoming Requests only from Localhost
This step applies only when IIS is used as a reverse proxy for QPR UI. In Payara allow incoming requests only from localhost.
Remove X-Powered-By HTTP Header
Removing the X-Powered-By HTTP response header improved security, because the underlying technology is not revealed publicly. You can disable this by turning off the XPowered By: header with your http-listener and by adding a JVM-Option -Dproduct.name="".
More information about Payara hardening: http://blog.eisele.net/2011/05/securing-your-glassfish-hardening-guide.html