1.4.3

Software Release Date: 17 September, 2024

Summary:

In this release, the Gateway now includes the HSTS header in the GET / endpoint, which was missing in version 1.4.1. For the Portal, the default nginx configuration has been updated to hide version information by setting server_tokens off. The Content-Security-Policy has been revised to allow specific sources, ensuring better security. Additionally, a fix was applied to the add_header Content-Security-Policy command to correct its arguments, and new security headers have been added to the nginx configuration.

Gateway

HSTS header also added to GET / (was not included in 1.4.1).

Portal

Changed:
- Content-Security-Policy value changed to default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *.meeco.me *.meeco.cloud *.svx.exchange *.securevalueexchange.com *.windows.net *.amazonaws.com *.google.com *.gstatic.com *.googleapis.com cdn.jsdelivr.net.
Added:
- nginx default config added with server_tokens off so that nginx version information is not returned via Server header value.
- Security headers to 'ngix' config.
Fixed:
- add_header Content-Security-Policy called with correct number of arguments.

Last updated 6 months ago

Was this helpful?