Getting vulnerability as HTTP header not detected,

41 views
Skip to first unread message

Suraj Patil

unread,
Nov 24, 2020, 1:55:33 AM11/24/20
to H2 Database
Hello Team,

We are getting http heaer not detetcted vulnerability in prod environment,how to remeduate it,any solution

Evgenij Ryazanov

unread,
Nov 24, 2020, 5:17:37 AM11/24/20
to H2 Database
Hello.

H2 is a DBMS, it's not an HTTP server.

H2 has a simple built-in web server for H2 Console, but it shouldn't be used in production. If you want to have H2 Console in production, normally you should use the H2 Console servlet and add proper security configuration for it to your web server. It should be protected from unauthorized users with security constraints, otherwise you may create a remote security hole in your application, especially if you use old versions of H2. You can also add all necessary headers to pages served by your web server either by configuration of the server, if it supports it, or with custom servlet filter.

H2 hypothetically can be improved to send additional headers from its own simple HTTP server, but, again, it isn't suitable for such use cases.

Suraj Patil

unread,
Nov 24, 2020, 5:21:04 AM11/24/20
to h2-da...@googlegroups.com
How can we add headers in h2 configurations?

--
You received this message because you are subscribed to the Google Groups "H2 Database" group.
To unsubscribe from this group and stop receiving emails from it, send an email to h2-database...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/h2-database/9a559a0e-1e8a-49b2-ba4e-6105b0c513bbn%40googlegroups.com.

Evgenij Ryazanov

unread,
Nov 24, 2020, 5:33:16 AM11/24/20
to H2 Database
You can't add anything to build-in server of H2. Just don't use it in production.

If you're using a some other web server (Tomcat, Jetty, etc.) and H2 Console servlet on it, you can add a javax.servlet.Filter implementation with @javax.servlet.annotation.WebFilter annotation and add all headers to its doFilter() method. Don't forget to call chain.doFilter(…) from it.

You should also add a security constraint for H2 Console servlet to the web.xml configuration file. Something like

<servlet>
  <servlet-name>H2Console</servlet-name>
  <servlet-class>org.h2.server.web.WebServlet</servlet-class>
</servlet>
<servlet-mapping>
  <servlet-name>H2Console</servlet-name>
  <url-pattern>/h2-console/*</url-pattern>
</servlet-mapping>
<security-role>
  <role-name>admin</role-name>
</security-role>
<security-constraint>
  <web-resource-collection>
    <web-resource-name>H2 Console</web-resource-name>
    <url-pattern>/h2-console/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
    <role-name>admin</role-name>
  </auth-constraint>
</security-constraint>

In this example a role admin needs to be defined on your web server, see its documentation for details.
Reply all
Reply to author
Forward
0 new messages