One of my Customer done Security testing after Tableau Server Installed successfully and they found few issues on Security.
These are few things they raised to fix, did any one face these kind of Security issues ever?
please post your suggestions on each one.
1. SSL cookie without secure flag set -
If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site.
2. Ruby code injection
The Referer HTTP header & cookie appears to be vulnerable to Ruby code injection attacks. The submitted value appears to be placed into a dynamically evaluated Ruby statement, within a single-quoted context.
3 .Cookie without HttpOnly flag set
4.Strict transport security not enforced
The application fails to prevent users from connecting to it over unencrypted connections. An attacker able to modify a legitimate user's network traffic could bypass the application's use of SSL/TLS encryption, and use the application as a platform for attacks against its users. This attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link to the site from an HTTP page, their browser never attempts to use an encrypted connection. The sslstrip tool automates this process.
Cacheable HTTPS response
Unless directed otherwise, browsers may store a local cached copy of content received from web servers. Some browsers, including Internet Explorer, cache content accessed via HTTPS. If sensitive information in application responses is stored in the local cache, then this may be retrieved by other users who have access to the same computer at a future time