Hi there, an enterprise client is asking about an OWASP check for ShinyProxy - is there any detail you can give on checks you do or vulnerabilities that have been found and addressed?
Hi @benkates Some customers went through pentesting and formal audits of their ShinyProxy infrastructure. We have worked with them to include minor changes to make the software OWASP proof. In the release notes of version 2.3.1 you will notice a lot of small security enhancements that originate in this exercise: https://shinyproxy.io/downloads/
Hope this helps!
Best,
Tobias
Thanks, we implemented the following and got no major risks from the pen test results:
server:
frameOptions: SAMEORIGIN
servlet:
session:
cookie:
http-only: true
secure: true
Hi @benkates
We are now also using OWASP Dependency Check to make sure we use no dependencies with known vulnerabilities.
More information can be found on our website https://shinyproxy.io/documentation/security/#secure-dependencies
The next major release of ShinyProxy will update the Keycloak and Docker dependencies to the latest version.
Most helpful comment
Thanks, we implemented the following and got no major risks from the pen test results: