Limit Control+J Information
The browser shortcut key combination Control+J or Ctrl+J (which you sometimes need to press twice in browsers) provides some really useful information. However, in a production environment there is some sensitive information you might want to remove from the display such as:
- Database Name
- Database Type
- Application Server
Optionally, you might also want to remove:
- Tools Release
- Application Release
- Service Pack
You can bet that if you have organised any penetration testing this will be one of the first things to get picked up.
The web profile settings allow you to turn Control+J on or off under:
On changing this the web profile will need to be reloaded using servlet directives or a web server restart.
However, turning off Control+J is an all or nothing setting and turning it off also takes away some of the valuable information it provides. A compromise is to limit the Control+J options through a simple customisation.
In application designer, open the HTML definition, PT_INFOPAGECONNECT. This is the HTML displayed on the Control+J page. The labels for each element are stored in the message catalog. Here's how they map:
| Message Set | Message Number | Message Text |
|---|---|---|
| 146 | 50 | Browser |
| 146 | 51 | Operating System |
| 146 | 52 | Tools Release |
| 146 | 53 | Application Release |
| 146 | 54 | Service Pack |
| 146 | 55 | Page |
| 146 | 56 | Component |
| 146 | 57 | Menu |
| 146 | 58 | User ID |
| 146 | 59 | Database Name |
| 146 | 60 | Database Type |
| 146 | 61 | Application Server |
| 209 | 831 | Component Buffer Size (KB) |
To hide the information that is sensitive, simply use HTML comments <!— —> to comment out the parts you don't want to show, e.g. for the Database Name, Database Type and Application Server (59,60,61) you could change the code in the HTML to this:
<!-- <Reference> <Author> <DD/MM/YYYY>: Hide sensitive information from Control+J -->
<!--
<tr>
<td class='PSEDITBOXLABEL'>%Message(146,59)</td>
<td class='PSTEXT'>%DBName</td>
</tr>
<tr>
<td class='PSEDITBOXLABEL'>%Message(146,60)</td>
<td class='PSTEXT'>%DBType</td>
</tr>
<tr>
<td class='PSEDITBOXLABEL'>%Message(146,61)</td>
<td class='PSTEXT'>%AppServer</td>
</tr>
-->
This is how Control+J now looks with above information commented out:
You would do a similar thing for Tools Release, Application Release and Service Pack (52,53,54) if you did not want to show that information either.
No Comments