HP LaserJet, HP PageWide - Secure by Default Initiative (white paper)
6
When enabled the CSRF feature prevents sending commands to the device through the EWS configuration interface
without first having initiated a EWS session, which establishes the CSRF Token. This method is referred to as “web
scraping” as the commands are captured and replayed to configure device settings through scripting.
This feature is enabled by default. It can be disabled if required.
EWS Setting Configuration Path:
Security Tab -> General Security
Figure 7: Cross-Site Request Forgery (CSRF) Protection in the Embedded Web Server (EWS)
Note: See Appendix A – Print Solution and Fleet tool Impacts for effects on device solutions and fleet management
tools.
Please see Preventing Cross Site Request Forgery (CSRF) Attack using CSRF-Tokens on HP Printing Devices for more
information.
Administrator Password Complexity and Minimum Length
The administrator password complexity feature requires complex passwords requiring 3 of the 4 following categories:
• Upper case characters
• Lower case characters
• Numbers
• Special characters
The minimum password length feature requires an administrative password between 1- 16 characters long. The default
setting is 8 characters. A Zero (0) minimum password length disables the minimum password length feature.
This feature is enabled by default. It can be disabled if required.
Account Lockout
The Account lockout feature protects the device administrative accounts by providing safeguards to prevent brute force
hacking attempts. After a set number of failed authentication attempts the system prevents further authentication
attempts for a specific interval.
The account lock feature applies to the following passwords:
• EWS password
• Remote configuration password
• SNMPv3 authentication and privacy passphrases
This feature is enabled by default. It can be disabled if required.