Java Agents 5.10

Access

The following sections describe how to restrict non-essential access to your deployment, and reduce the amount of non-essential information that it provides.

Remove non-essential features

The more features you have turned on, the more features you need to secure, patch, and audit. If something is not being used, uninstall it, disable it, or protect access to it.

Remove non-essential access

Make sure that only authorized people can access your servers and applications through the appropriate network, using the appropriate ports, and presenting strong-enough credentials.

Make sure that users connect to systems through the latest versions of TLS, and audit system access periodically.

Protect read-access to endpoints that monitor Common REST, Prometheus, CSV file-based metrics. For Common REST and Prometheus endpoints:

  • Name exposed base endpoints to prevent them from being easily associated with an application.

  • Set up strict not-enforced rules, to minimize unauthenticated access.

Update patches

Prevent the exploitation of security vulnerabilities by using up-to-date versions of the agent and third-party software.

Review and follow the ForgeRock Security Advisories. To receive email notifications for new security advisories, log in to Backstage, and click the Subscribe button for agent security advisories. Follow similar lists from all of your vendors.

Manage cookies

Increase the security of cookies generated by Java Agent or the protected application in the following ways:

  • To prevent cookies from being easily associated with an application, change the default name of key cookies. For example, change pre-authentication cookies in Pre-Authentication Cookie Name, and JWT cookies in JWT Cookie Name.

  • To transmit securely all cookies written by the agent, set Transmit Cookies Securely.

  • To reduce the risk of cross-site request forgery (CSRF) attacks, set the SameSite attribute of cookies in Set-Cookie Internal Map or Set-Cookie Attribute Map.

  • To ensure that cookies cannot be accessed through client-side scripts, and to mitigate any XSS attacks, set Enable HTTP Only Cookies to create cookies with the httpOnly flag.

  • To make cookies accessible only from HTTPS sites, prefix the cookie name with __Secure-. A forged insecure site cannot overwrite a secure cookie.

  • To make cookies accessible only on the same host where they are set, prefix the cookie name with __Host-. A subdomain cannot overwrite the cookie value.

  • To protect the CDSSO session cookie from hijacking, configure AM as described in Enabling restricted tokens for CDSSO session cookies in AM’s Security guide.