The “Referer” header is a HTTP header that is added by the web browser whenever a request is made. A Zimbra user who receives an email with links or images in the Zimbra web interface may unknowingly share information of the Zimbra server when clicking the link or viewing inline-images. For example when an email […]
Tag Archives | security
Did you know? Zimbra HTTP Strict Transport Security (HSTS)
The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) informs browsers that the site should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically be converted to HTTPS. What does HSTS do for improving security? You have HSTS configured on Zimbra and have configured a correct TLS […]
Protecting Zimbra with Sucuri web application firewall
You can enhance the security of your Zimbra servers by using a web application firewall (WAF). By using a web application firewall you can add the following protections to Zimbra: Geo blocking, geo fencing Blocking or allow IP addresses Emergency DDoS protection Block anonymous proxies Block top three attack countries Manage HTTP Security Headers Limited […]
Update Zimbra TLS cipher suites to disable Diffie-Hellmann
In a previous blog and wiki we have shown how to configure Zimbra with a strong TLS configuration. Since encryption is always evolving we have updated the previous blog and wiki to disable Diffie-Hellman. If you have applied the steps from the Cipher Suites wiki before, you can run the following commands as user zimbra […]
Zimbra Now Works with Thales’ SafeNet Trusted Access
Hello Zimbra Customers, Partners & Friends, We’re happy to announce that Zimbra now works with Thales’ SafeNet Trusted Access (STA) to provide single sign-on (SSO), policy configuration and multi-factor authentication (MFA). This makes it easy to meet compliance mandates such as GDPR and PCI DSS by letting you decide who has access to Zimbra and how their identity is verified. Thales’ SSO Application […]
How to use DOMPurify in your Zimlet for XSS sanitizing
Cross-Site Scripting (XSS) attacks are a type of injection attack, in which malicious scripts are injected into otherwise benign and trusted websites. In case you are developing a Zimlet you should not trust any form of user input. If you integrate 3rd party services via your Zimlet, you probably also want to sanitize any data […]