12/28/2023 0 Comments Keeweb config.jsonHead off to your browser, and authenticate with your LDAP credentials you should see now the KeeWeb app! You can choose the webdav method by clicking More, then fill in the path to your. kdbx file yet, I recommend to create one using the Keepass 2 desktop app, and copy it inside the /webdav folder. Header always set Access-Control-Allow-Credentials "true" Header always set Access-Control-Allow-Methods "GET, HEAD, POST, PUT, OPTIONS, MOVE, DELETE, COPY, LOCK, UNLOCK" Header always set Access-Control-Expose-Headers "ETag" Header always set Access-Control-Allow-Headers "origin, content-type, cache-control, accept, authorization, if-match, destination, overwrite" Header always set Access-Control-Allow-Origin "*" Then a classic location tag to configure WebDav: So we'll keep it outside the following location tags # According to the dev of KeeWeb, OPTIONS request must work without authorization. kdbx database file will be stored in the webdav folder of our website. This is my full virtual host configuration file, we assume that the. Next, we are going to write a Virtual Host for KeeWeb: Then chown -R apache.apache /var/www/html/ Sudo mv /var/www/html/keeweb-gh-pages/* /var/www/html/ & sudo rmdir /var/www/html/keeweb-gh-pages/ You should have a folder /var/www/html/keeweb-gh-pages, let's move its content to the parent folder: Sudo unzip gh-pages.zip -d /var/www/html/ Unzip it at the root of your HTTP server. Next, we have to get the resources of the KeeWeb application: So let's get started by installing Apache httpd.Īpache on CentOS loads automatically the necessary mods that we'll use in our configuration so don't worry about that. I'll be working on CentOS 7 so some commands may vary depending on your operating system. kdbx database hosted on the same server using WebDAV protocol, and finally, we'll protect the access to the website by configuring the Apache LDAP module. We'll deploy KeeWeb on an Apache httpd web server, we'll configure KeeWeb to look for our. It uses browser cache whenever it can, so keep an eye on that when redeploying your application. kdbx database locally on the browser, so security++ ) It's basically written in HTML/CSS and JavaScript, and it's based on KeePass, so you get almost all the features of the KeePass desktop app. KeeWeb by the amazing all know what Apache httpd and its mods are, but let's talk a little about KeeWeb ( Github repo):. Lucky for me (and for you), we can build what we want using the following free and open source applications: Sadly, most of the open source web-based password managers that offer self-hosting and LDAP authentication were paid. In addition to that, we needed it to be protected by an LDAP authentication and self-hosted (I personally can't trust any cloud-based password manager). Public-Key-Pins (HPKP) ensures that certificate is Pinned.Where I work, we really needed a team password manager that's kept up to date with any password that's been added by a team member. Missing Security Header - Public-Key-Pins (HPKP) X-XSS-Protection header set to 1 enables the Cross-site scripting (XSS) filter built into most recent web browsers. Missing Security Header - X-XSS-Protection:1 X-Download-Options header set to noopen prevents IE users from directly opening and executing downloads in your site's context. Missing Security Header - X-Download-Options: noopen X-Content-Type-Options header prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type. Missing Security Header - X-Content-Type-Options Remove the X-Powered-By header to prevent information gathering. JavaScript can access Cookies if they are not marked httpOnly. Strict-Transport-Security (HSTS) header enforces secure (HTTP over SSL/TLS) connections to the server. Missing Security Header - Strict-Transport-Security (HSTS) Missing Security Header - Content-Security-Policy (CSP)Ĭontent Security Policy (CSP), a mechanism web applications can use to mitigate a broad class of content injection vulnerabilities, such as cross-site scripting (XSS). X-Frame-Options (XFO) header provides protection against Clickjacking attacks. Missing Security Header - X-Frame-Options (XFO) User controlled data in 'setInterval()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE).Īpp/scripts/views/details/details-view.jsĪpp/scripts/views/fields/field-view-custom.jsĪpp/scripts/views/fields/field-view-otp.jsĪ hardcoded key in plain text was identified.Ī hardcoded password in plain text was identified. Server Side Injection(SSI) - setInterval() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). Server Side Injection(SSI) - setTimeout()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |