Security
Table Of Contents
- View Security
- Contents
- View Security
- Horizon 7 Accounts, Resources, and Log Files
- View Security Settings
- Ports and Services
- Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a Security Server
- Configuring Security Protocols and Cipher Suites for Blast Secure Gateway
- Deploying USB Devices in a Secure Horizon 7 Environment
- HTTP Protection Measures on Connection Servers and Security Servers
- Index
Mitigating Cross-Site Scripting Attacks
By default, Horizon 7 employs the XSS (cross-site scripting) Filter feature to mitigate cross-site scripting
aacks by sending the header x-xss-protection=1; mode=block in its HTTP responses.
You can disable this feature by adding the following entry to the le locked.properties:
x-xss-protection=OFF
Content Type Checking
By default, Horizon 7 accepts requests with the following declared content types only:
n
application/x-www-form-urlencoded
n
application/xml
n
text/xml
N In earlier releases, this protection was disabled by default.
To restrict the content types that View accepts, add the following entry to the le locked.properties:
acceptContentType.1=content-type
For example:
acceptContentType.1=x-www-form-urlencoded
To accept another content type, add the entry acceptContentType.2=content-type, and so on
To accept requests with any declared content type, specify acceptContentType=*.
N In releases earlier than Horizon 7 version 7.2, changing this list does not aect connections to
Horizon Administrator.
User Agent Whitelisting
Set a whitelist to restrict user agents that can interact with Horizon 7. By default, all user agents are
accepted.
N This is not strictly a security feature. User agent detection relies on the user-agent request header
provided by the connecting client or browser, which can be spoofed. Some browsers allow the request
header to be modied by the user.
A user agent is specied by its name and a minimum version. For example:
clientWhitelist-portal.1 = Chrome-14
clientWhitelist-portal.2 = Safari-5.1
This means that only Google Chrome version 14 and later, and Safari version 5.1 and later are allowed to
connect using HTML Access. All browsers can connect to other services.
You can enter the following recognised user agent names:
n
Android
n
Chrome
n
Edge
n
IE
n
Firefox
Chapter 7 HTTP Protection Measures on Connection Servers and Security Servers
VMware, Inc. 39