I'm trying to find documentation on standard AMQP headers that RabbitMQ uses and ones reserved by the AMQP protocol. I've reviewed the AMQP documentation and RabbitMQ's website with no luck. Any resources that contain this information? Thanks.
If by headers you mean message headers, then search for "These are the properties for a Basic content" here: http://www.rabbitmq.com/resources/specs/amqp0-9-1.extended.xml
Related
For a debugging purpose, I want to print a specific cookie value in my access.log or request.log.
One way to do is, from the dispatcherServlet, add a logger for SlingHttpRequest.getCookies(). But this debugging is needed in Production and I cant make java code changes and deploy.
I read the documentation and tried to change the org.apache.sling.commons.log.pattern property in org.apache.sling.commons.log.LogManager.factory.config in the configManager for access.log like this:
{0,date,dd.MM.yyyy HH:mm:ss.SSS} *{4}* [{2}] {3} {5} "%cookie{login-token}"
This didnt help. Able to see date timestamp changed, {2} {3} etc are printing. But as desired, the cookie value is not printing.
How to print the cookie values in http headers in AEM log files?
I don't think the entire documentation that you are referring to is supported OOB. The pattern format in AEM specifically points to the Pattern Layout section of the documentation. As part of that, there is no support for request cookies.
The request cookies section is specifically present under the pattern layout of the Logback access section which states the below
PatternLayout in logback-access can be configured in much the same way
as its classic counterpart. However it features additional conversion
specifiers suited for logging particular bits of information available
only in HTTP servlet requests and HTTP servlet responses.
That being said, the sling logging documentation mentions using a Sling extension for slf4j MDC support which can be used to expose some of the request variables including cookies. Extract from the doco below
The filter allows configuration to extract data from request cookie,
header and parameters. Look for configuration with name 'Apache Sling
Logging MDC Inserting Filter' for details on specifying header,
cookie, param names.
Once the MDC bundle is downloaded and added to your instance, you can use the log back patterns instead of the classic pattern for the log format. Example from the doco shown below.
%d{dd.MM.yyyy HH:mm:ss.SSS} *%p* [%X{req.remoteHost}] [%t] %c %msg%n
Hope this helps.
This article says:
With these added headers, Cloudflare passes on all HTTP headers as is
from the client to the origin.
However, there doesn't appear to be a standard way to get the Host from the original request.
Is there a way to do this, either via standard options or enterprise option?
We are developing a restful API that fulfills some various events. We have done a Nessus vulnerability scan to see security leaks. It turned out that we have some leaks leads to clickjacking and we have found the solution. I have added x-frame-options as SAMEORIGINin order to handle problems.
My question here is that, since I am an API, do I need to handle clickjacking? I guess 3rd party user should be able to reach my API over an iframe and I don't need to handle this.
Do I miss something? Could you please share your ideas?
Edit 2019-10-07: #Taytay's PR has been merged, so the OWASP recommendation now says that the server should send an X-Frame-Options header.
Original answer:
OWASP recommends that clients send an X-Frame-Options header, but makes no mention of the API itself.
I see no scenario where it makes any sense for the API to return clickjacking security headers - there is nothing to be clicked in an iframe!
OWASP recommends that not only do you send an X-Frame-Options header but that it is set to DENY.
These are recommendations not for a web site but for a REST service.
The scenario where it makes sense to do this is exactly the one the OP mentioned - running a vulnerability scan.
If you do not return a correct X-Frame-Options header the scan will fail. This matters when proving to customers that your endpoint is safe.
It is much easier to provide your customer a passing report than have to argue why a missing header does not matter.
Adding a X-Frame-Options header should not affect the endpoint consumer as it is not a browser with an iframe.
Is there a way to remove the p_auth in the POST header, but still having it in the body? I still required the authentication check, therefore disabling it is not the option. Thanks
I know that this is an old question but there is no answer yet. You should enable friendly url mapping in Liferay. This involves creating a xml config file describing the url patterns and routes. You can find some information on it here.
Once it is enabled you can specify the p_auth parameter to be hidden from the url.
The documentation refers to the header name as HTTP_X_SHOPIFY_HMAC_SHA256
Looking at webhook requests coming into my servers the header is named x-shopify-hmac-sha256
Which is the correct name? Is it case sensitive?
According to RFC 2616, HTTP headers are case-insensitive. See section 4.2 of the document, titled Message Headers.